A critical backdoor vulnerability has been discovered in the LA-Studio Element Kit for Elementor, a popular WordPress plugin utilized by over 20,000 active websites. This security flaw allows malicious actors to create administrator accounts without any authentication, posing a severe risk of complete website takeover for thousands of online businesses.
The vulnerability, identified as CVE-2026-0920, carries a CVSS score of 9.8, classifying it as a critical threat that necessitates immediate attention from website administrators. The backdoor was reportedly introduced by a former LA-Studio employee before their departure in late December 2025, who allegedly modified the plugin’s code to insert hidden functionality for unauthorized administrative user creation. This incident underscores the growing concerns surrounding insider threats and the importance of robust code review processes during employee transitions.
Backdoor Vulnerability in Element Kit for Elementor Poses Critical Threat
Security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham brought the widespread vulnerability to light on January 12, 2026, by reporting it through the Wordfence Bug Bounty Program. Analysis by Wordfence experts pinpointed the flaw within the plugin’s user registration system, specifically within the ajax_register_handle function. The security team acted swiftly, and a patched version, 1.6.0, was released on January 14, 2026, merely two days after the initial report. This rapid response helped mitigate the potential damage for many users, though immediate action was still required.
The vulnerability affected all versions of the LA-Studio Element Kit for Elementor plugin up to and including version 1.5.6.3. Attackers could exploit this weakness by sending a specially crafted registration request containing a parameter named `lakit_bkrole`. Successful exploitation granted attackers full administrative privileges on the compromised WordPress site. This level of access would allow them to perform a range of malicious activities, including uploading harmful files, altering website content, redirecting unsuspecting visitors to phishing or malware-laden sites, or injecting spam content into pages.
The detailed attributes of this significant security incident are notable. The vulnerability, officially named Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation, is tracked under CVE ID CVE-2026-0920 with its critical CVSS score of 9.8. The affected plugin is the LA-Studio Element Kit for Elementor, with the plugin slug `lastudio-element-kit`. Versions up to and including 1.5.6.3 are vulnerable, while version 1.6.0 provides the patch. The problem impacted over 20,000 active installations, with the attack vector being the `lakit_bkrole` parameter within a registration request. The vulnerability type is fundamentally a backdoor, enabling administrative user creation. The diligent researchers who discovered this flaw were Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham, who received a bounty of $975.00. The discovery date was January 12, 2026, with the patch released on January 14, 2026. Wordfence provided protection for premium users on January 13, 2026, and for free users on February 12, 2026.
The Obfuscated Backdoor Mechanism
Wordfence researchers further elaborated that the malicious code was deliberately obfuscated to evade detection during typical security reviews. This technique made the hidden functionality challenging to spot, allowing it to remain concealed within the plugin’s codebase. The obfuscated code specifically targeted the user registration process, designed to grant administrator privileges to newly created accounts when the hidden parameter was present. This sophisticated evasion tactic aimed to preserve the backdoor’s access for an extended period.
The backdoor’s operation relied on a carefully concealed modification within the plugin’s registration handling system. Upon examining the code, Wordfence analysts discovered that the `ajax_register_handle` function contained obfuscated logic. This logic specifically checked for the presence of the `lakit_bkrole` parameter during user registration. If this parameter was detected, the function would activate additional filters that assigned administrator privileges to the new account. The obfuscation employed techniques such as string manipulation and indirect function calls, allowing the malicious code to blend seamlessly with the plugin’s legitimate functionality. This clandestine design enabled the backdoor to bypass standard security audits and remain undetected until researchers specifically investigated suspicious patterns within the registration workflow.
The immediate next step for all users of the LA-Studio Element Kit for Elementor is to update to version 1.6.0 or higher without delay to patch this critical vulnerability. Ongoing monitoring of website security logs for any unusual administrative activity is also strongly recommended. The incident serves as a stark reminder of the importance of diligent code audits, secure development practices, and rapid patching in the WordPress ecosystem, particularly considering the plugin’s widespread use.