PT-2026-3919 · WordPress · La-Studio Element Kit For Elementor

Athiwat Tiprasaharn

+2

·

Published

2026-01-22

·

Updated

2026-02-13

·

CVE-2026-0920

CVSS v3.1
9.8
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions LA-Studio Element Kit for Elementor versions through 1.5.6.3
Description The LA-Studio Element Kit for Elementor plugin for WordPress is susceptible to unauthorized administrative user creation. This occurs because the 
ajax register handle
function does not properly restrict user role assignments during registration. Unauthenticated attackers can exploit this by providing a malicious value for the 
lakit bkrole
parameter during the registration process, allowing them to gain administrator access to the site. Reports indicate that approximately 20,000+ WordPress sites globally may be affected. The issue was reportedly introduced by a former employee and allows for full site takeover. The 
lakit bkrole
parameter is used in the plugin’s registration handler to manipulate user roles.
Recommendations Versions through 1.5.6.3 should be updated to version 1.6.0. Audit for rogue administrator users after applying the update.

Fix

LPE

Improper Privilege Management

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2026-0920

Affected Products

La-Studio Element Kit For Elementor