{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0920", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-13T19:56:37.679Z", "datePublished": "2026-01-22T06:47:19.614Z", "dateUpdated": "2026-04-08T16:57:54.646Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:54.646Z"}, "affected": [{"vendor": "choijun", "product": "LA-Studio Element Kit for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site."}], "title": "LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "timeline": [{"time": "2026-01-13T20:13:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-21T17:31:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T15:19:47.839698Z", "id": "CVE-2026-0920", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:20:27.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-22T15:19:47.839698Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:19:52.754Z"}}], "cna": {"title": "LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "choijun", "product": "LA-Studio Element Kit for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.6.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T20:13:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-21T17:31:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit"}], "descriptions": [{"lang": "en", "value": "The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:54.646Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0920", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:54.646Z", "dateReserved": "2026-01-13T19:56:37.679Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-22T06:47:19.614Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site."}, {"lang": "es", "value": "El plugin LA-Studio Element Kit para Elementor para WordPress es vulnerable a la creaci\u00f3n de usuarios administrativos en todas las versiones hasta e incluyendo la 1.5.6.3. Esto se debe a que la funci\u00f3n 'ajax_register_handle' no restringe con qu\u00e9 roles de usuario puede registrarse un usuario. Esto hace posible que atacantes no autenticados suministren el par\u00e1metro 'lakit_bkrole' durante el registro y obtengan acceso de administrador al sitio."}], "id": "CVE-2026-0920", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-22T07:15:50.813", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:07:14.098684+00:00", "value": {"mitigation_remediation": ["Upgrade the LA\u2011Studio Element Kit for Elementor plugin to version 1.5.6.4 or later, which applies the necessary role validation.", "If an immediate update is not possible, disable the susceptible AJAX endpoint by blocking requests to 'admin-ajax.php?action=ajax_register_handle' through web server rules or a firewall.", "After mitigation, audit existing user accounts for any unapproved administrator accounts that may have been created during the vulnerability exposure and remove them."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "This flaw affects the WordPress plugin LA\u2011Studio Element Kit for Elementor distribution from the vendor choijun. All releases up to and including version 1.5.6.3 are impacted, regardless of the WordPress core or theme configuration.", "description_and_impact": "The LA\u2011Studio Element Kit for Elementor plugin allows unauthenticated users to create accounts with any role through the 'ajax_register_handle' function. By supplying the 'lakit_bkrole' parameter, an attacker can invoke this endpoint to add a new administrator without being logged in, granting full control over the WordPress site. The vulnerability arises from the absence of role validation, enabling creation of privileged accounts that bypass normal security checks.", "risk_and_exploitability": "The CVSS score of 9.8 classifies this issue as Critical, with an EPSS of less than 1% indicating low but nonzero likelihood of exploitation. The bug is not listed in the CISA KEV catalog. Attackers can trigger the vulnerability via an unauthenticated POST request to the plugin\u2019s AJAX endpoint, supplying an arbitrary value for 'lakit_bkrole', typically 'administrator'. No privileged access or network restrictions are required, making this a straightforward privilege escalation route."}}}}, "created": "2026-01-23T16:32:41.950875+00:00", "updated": "2026-04-15T19:15:12.079995+00:00", "vendors": ["choijun", "choijun$PRODUCT$la-studio-element-kit-for-elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}