CVE-2026-0920

Name of the Vulnerable Software and Affected Versions LA-Studio Element Kit for Elementor versions through 1.5.6.3

Description The LA-Studio Element Kit for Elementor plugin for WordPress is susceptible to unauthorized administrative user creation. This occurs because the ajax register handle function does not properly restrict user role assignments during registration. Unauthenticated attackers can exploit this by providing a malicious value for the lakit bkrole parameter during the registration process, allowing them to gain administrator access to the site. Reports indicate that approximately 20,000+ WordPress sites globally may be affected. The issue was reportedly introduced by a former employee and allows for full site takeover. The lakit bkrole parameter is used in the plugin’s registration handler to manipulate user roles.

Recommendations Versions through 1.5.6.3 should be updated to version 1.6.0. Audit for rogue administrator users after applying the update.