Administrative User Creation in LA-Studio Element Kit for Elementor

Repository contains a single Python exploit script (CVE-2026-0920.py), a custom license, and a detailed README. The Python script is a multithreaded operational exploit targeting a claimed unauthenticated privilege-escalation flaw in the WordPress plugin LA-Studio Element Kit for Elementor <= 1.5.6.3. Its workflow is: normalize target URLs, request several public front-end paths to scrape an exposed ajax nonce from HTML/JavaScript, then send a crafted registration request to /wp-admin/admin-ajax.php using action=lakit_ajax and attacker-controlled registration fields. The exploit is designed to create a new administrator account with hardcoded default credentials, verify success, and save successful targets to success_results.txt. The script supports bulk targeting from a list file, randomized User-Agent headers, disabled TLS verification, and concurrent worker threads. The README mirrors the exploit logic and explains the vulnerable parameter (lakit_bkrole) and the intended attack chain. Overall, this is a real exploit implementation rather than a detector or README-only repository.

Repository contains a single Python PoC exploit script for CVE-2026-0920 targeting the WordPress plugin “LA-Studio Element Kit for Elementor” (<= 1.5.6.3). The exploit abuses an intentional backdoor parameter (`lakit_bkrole`) in the plugin’s registration AJAX handler to create a new user with Administrator privileges. Structure: - `CVE-2026-0920.py`: Main exploit. Uses `requests.Session()` and sends a POST to `{target}/wp-admin/admin-ajax.php` with `action=lakit_ajax`, a user-supplied `_nonce`, and an `actions` parameter containing a JSON string that triggers `register` and sets `lakit_bkrole` to `administrator`. Supports custom User-Agent and an optional Cookie header. TLS verification is disabled (`verify=False`). - `README.md`: Technical description, exploitation steps (notably nonce acquisition), and an example command. - `requeriments.txt`: Python dependencies. - `LICENSE`: MIT. Exploit capability and outcome: - Primary capability: unauthenticated administrative account creation (full site takeover) by registering a new user and forcing role escalation via `lakit_bkrole=administrator`. - Prerequisite: a valid WordPress AJAX nonce for the `lakit_ajax` action (the PoC does not include nonce discovery; it must be obtained separately). Notable implementation details: - Endpoint targeted is the standard WordPress AJAX handler `/wp-admin/admin-ajax.php`. - Success detection is simplistic (checks for '"success":true' and '200' in response body rather than HTTP status code), but the core request construction reflects the described backdoor trigger.

Repository purpose: a Python-based “mass exploiter” for a claimed WordPress plugin vulnerability (CVE-2026-0920) in “LA-Studio Element Kit for Elementor” (<= 1.5.6.3), aiming to create an administrator account without authentication. Structure: - CVE-2026-0920.py: main exploit tool (threaded scanner/exploiter). Implements banner display, target ingestion, WordPress detection, plugin indicator checks, vulnerability verification, credential generation, exploitation attempt, and optional login verification. Uses requests with SSL verification disabled and rotates User-Agent strings. - README.md: usage instructions, ethical warning, feature list, and examples. - Baner.txt: ASCII art banner. - url.txt: placeholder example target URL. - LICENSE/.gitignore: standard. Exploit capabilities (from code/README): - Mass target processing with configurable threads/timeouts. - WordPress fingerprinting via GET requests to common WP paths (/wp-login.php, /wp-admin/, /readme.html, /wp-includes/, /xmlrpc.php). - Plugin presence heuristics via keyword indicators (la-studio-element-kit, element-kit, lakit, lastudio). - Auto-generation of credentials (username/email/password) and reporting. - Writes results to VLUN.txt (vulnerable) and VLUN_V.txt (verified exploited with credentials). Notes/limitations: - The provided code excerpt is truncated at the core exploitation logic, but the surrounding scaffolding and README clearly indicate the intended outcome: unauthenticated admin creation via a plugin AJAX endpoint and subsequent login verification. No hardcoded C2 infrastructure is present; targets are user-supplied URLs.

Repository contains a Go-based exploit PoC for CVE-2026-0920 affecting the WordPress plugin “LA-Studio Element Kit for Elementor” (lastudio-element-kit) <= 1.5.6.3. The exploit performs an unauthenticated privilege escalation by creating a new WordPress user with Administrator role. Structure: - CVE-2026-0920.go: Standalone Go program (main package) implementing the exploit end-to-end. - Recon/scrape phase: Issues an HTTP GET to a user-supplied page URL (typically a register/login page containing the plugin widget) and extracts required nonce values using regexes: "ajaxNonce" (global) and "lakit-register-nonce" (register). It also attempts to extract the correct AJAX endpoint from "ajaxUrl"/"ajax_url" in the page source. - Target endpoint selection: Uses scraped ajax URL if present; otherwise guesses /wp-admin/admin-ajax.php (with a special-case guess for paths containing /vuln-site/). - Exploit delivery: Sends an HTTP POST to admin-ajax.php with form fields action=lakit_ajax, _nonce=<globalNonce>, and actions=<JSON>. The JSON encodes a “register” action whose data includes the hidden backdoor field lakit_bkrole set to "administrator" along with username/email/password and the register nonce. - Success check: Treats HTTP 200 plus response containing "success":true or "type":"success" as successful account creation and prints the created credentials. - Transport behavior: Disables TLS certificate verification (InsecureSkipVerify=true) and uses a 15s timeout. - README.md: Usage instructions and vulnerability description; confirms the intended effect is unauthenticated admin account creation via lakit_ajax and lakit_bkrole. Overall purpose/capabilities: - Automates nonce discovery and AJAX endpoint discovery from a target page. - Exploits the plugin’s backdoor registration handler by injecting lakit_bkrole=administrator to create an admin user without authentication. - Provides configurable target URL and credentials via CLI flags (-u, -user, -email, -pass) and supports manual nonce override (-nonce, -rnonce).