CVE-2026-0920 Overview
CVE-2026-0920 is a privilege escalation vulnerability in the LA-Studio Element Kit for Elementor plugin for WordPress. The flaw affects all versions up to and including 1.5.6.3. The ajax_register_handle function fails to restrict which user roles a registrant may select. Unauthenticated attackers can supply the lakit_bkrole parameter during registration to obtain administrator access. The issue is tracked under [CWE-269: Improper Privilege Management].
Critical Impact
Unauthenticated attackers can register as administrators on affected WordPress sites, leading to full site compromise.
Affected Products
- LA-Studio Element Kit for Elementor plugin for WordPress
- All versions up to and including 1.5.6.3
- WordPress sites with the plugin installed and registration accessible
Discovery Timeline
- 2026-01-22 - CVE-2026-0920 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-0920
Vulnerability Analysis
The LA-Studio Element Kit for Elementor plugin exposes a custom AJAX registration handler named ajax_register_handle. This handler processes user-supplied registration data without validating which roles a new account may receive. Because the handler is reachable by unauthenticated requests, any visitor can interact with it directly.
The plugin reads a lakit_bkrole parameter from the request body and applies it as the role of the newly created WordPress user. WordPress treats the administrator role as fully privileged, granting access to plugin installation, file editing, and user management. An attacker who supplies administrator as the role value obtains complete control of the site.
With administrator access, attackers can upload malicious plugins or themes, modify PHP files through the theme editor, and pivot to remote code execution on the underlying host. The vulnerability also enables data theft, defacement, and the insertion of persistent backdoors.
Root Cause
The root cause is a missing authorization check on the role assignment logic inside ajax_register_handle. The function trusts client-supplied input to determine the privilege level of the new account. The fix is implemented in WordPress Plugin Changeset 3439121, which restricts allowed roles during registration. The vulnerable code path can be reviewed in the plugin source for version 1.5.6.3.
Attack Vector
Exploitation requires a single HTTP POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) invoking the plugin's registration action with the lakit_bkrole parameter set to administrator. No authentication, user interaction, or special configuration beyond having the vulnerable plugin active is required. Refer to the Wordfence Vulnerability Analysis for additional technical context.
Detection Methods for CVE-2026-0920
Indicators of Compromise
- New WordPress user accounts created with the administrator role from unfamiliar email addresses or IP addresses
- POST requests to admin-ajax.php containing the lakit_bkrole parameter, especially with a value of administrator
- Unexpected plugin or theme uploads, or modifications to PHP files in wp-content/
- WordPress audit log entries showing role promotions originating from the registration flow
Detection Strategies
- Inspect web server access logs for requests to admin-ajax.php referencing the LA-Studio Element Kit registration action and the lakit_bkrole parameter
- Query the wp_users and wp_usermeta tables for accounts assigned the administrator capability since the plugin was installed
- Enable a WordPress activity logging plugin to record user creation events with originating IP and request payload
Monitoring Recommendations
- Alert on any creation of administrator-level accounts outside of an approved provisioning workflow
- Monitor outbound traffic from the web host for connections to known command-and-control infrastructure following suspicious account creation
- Track file integrity for wp-content/plugins/ and wp-content/themes/ to detect post-exploitation payloads
How to Mitigate CVE-2026-0920
Immediate Actions Required
- Update LA-Studio Element Kit for Elementor to a version newer than 1.5.6.3 that includes the fix from changeset 3439121
- Audit all WordPress administrator accounts and remove any that were not provisioned by a trusted administrator
- Rotate credentials, secret keys, and API tokens stored in wp-config.php if unauthorized administrators are found
- Scan the site for webshells, malicious plugins, and modified core files
Patch Information
The vendor addressed the vulnerability in WordPress Plugin Changeset 3439121. Site operators should upgrade through the WordPress plugin updater or by replacing the plugin files with the patched release.
Workarounds
- Deactivate and remove the LA-Studio Element Kit for Elementor plugin until patching is possible
- Disable user registration in WordPress under Settings → General by unchecking "Anyone can register"
- Restrict access to admin-ajax.php via a web application firewall rule that blocks requests containing the lakit_bkrole parameter with a value of administrator, editor, or other privileged roles
# Example WAF rule (ModSecurity) blocking privileged role assignment via the vulnerable parameter
SecRule ARGS:lakit_bkrole "@rx ^(administrator|editor|author)$" \
"id:1026920,phase:2,deny,status:403,log,\
msg:'CVE-2026-0920 LA-Studio Element Kit privileged role assignment attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
