CVE-2026-24947

LA-Studio Element Kit for Elementor < 1.5.6.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.5.6.3
Patched in
58d
Time to patch

Description

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 1.5.6.3 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<1.5.6.3
PublishedDecember 15, 2025
Last updatedFebruary 10, 2026
Affected pluginlastudio-element-kit

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit a Missing Authorization vulnerability in the **LA-Studio Element Kit for Elementor** plugin (versions < 1.5.6.3). ## 1. Vulnerability Summary The **LA-Studio Element Kit for Elementor** plugin fails to implement proper authorization c…

Show full research plan

This research plan outlines the steps to investigate and exploit a Missing Authorization vulnerability in the LA-Studio Element Kit for Elementor plugin (versions < 1.5.6.3).

1. Vulnerability Summary

The LA-Studio Element Kit for Elementor plugin fails to implement proper authorization checks (e.g., current_user_can) on one or more of its AJAX handlers. This allows an unauthenticated attacker to trigger administrative functions by sending a request to admin-ajax.php. Given the CVSS score of 5.3 (Integrity impact), the vulnerability likely allows modifying plugin settings or enabling/disabling plugin features.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action: Likely lastudio_element_kit_save_settings or lastudio_kit_save_extensions (inferred).
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred Investigation)

The research agent should first locate the registration of the vulnerable AJAX handler.

  1. Registration: Search for AJAX actions registered for unauthenticated users:
    grep -r "wp_ajax_nopriv_" wp-content/plugins/lastudio-element-kit/
  2. Handler Identification: Look for a handler that performs sensitive operations (like update_option) and lacks a capability check.
    • Target File: Likely includes/class-ajax.php or includes/admin/class-admin.php.
    • Vulnerable Pattern:
      add_action('wp_ajax_nopriv_lastudio_element_kit_save_settings', 'handler_function');
      function handler_function() {
          // If no current_user_can('manage_options') check is present...
          $data = $_POST['settings'];
          update_option('lastudio_element_kit_settings', $data);
      }
      
  3. Sink: The sink is typically update_option() or update_site_option().

4. Nonce Acquisition Strategy

If the function calls check_ajax_referer or wp_verify_nonce, a nonce is required.

  1. Identify Action String: Find the wp_create_nonce call in the source code to see the action string (e.g., lastudio-element-kit-nonce).
  2. Identify Localization: Look for wp_localize_script to find where the nonce is exposed to the frontend.
    • Search: grep -r "wp_localize_script" wp-content/plugins/lastudio-element-kit/
    • Example Variable: lastudio_element_kit_admin_vars or la_element_kit_settings.
  3. Extraction Steps:
    • The plugin likely loads its scripts in the WordPress admin or on pages using its widgets.
    • Action: Create a page with a LA-Studio Element Kit widget/shortcode:
      wp post create --post_type=page --post_status=publish --post_content='[lastudio_element_kit_shortcode]' (Verify exact shortcode using grep "add_shortcode").
    • Navigation: Use browser_navigate to the created page.
    • Evaluation: Use browser_eval to extract the nonce:
      browser_eval("window.lastudio_element_kit_admin_vars?.nonce") (Replace with actual JS object and key found in source).

5. Exploitation Strategy

Once the action and (if necessary) nonce are identified:

  1. Determine Payload: Analyze the handler to see what data it accepts. If it's a settings update, identify the option key.
  2. Construct Request:
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Method: POST
    • Content-Type: application/x-www-form-urlencoded
    • Body:
      action=lastudio_element_kit_save_settings&nonce=<EXTRACTED_NONCE>&settings[some_option]=malicious_value
  3. Execution: Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install and activate the plugin (version < 1.5.6.3).
  2. Identify a specific setting that can be modified (e.g., "extensions" or "active_modules").
  3. If a nonce is required, identify the shortcode or widget that enqueues the necessary scripts and create a public page containing it.

7. Expected Results

  • Success: The server returns a 200 OK response, often with a JSON body: {"success":true}.
  • Impact: The targeted WordPress option in the wp_options table is updated with the attacker-supplied value.

8. Verification Steps

After the exploit attempt, use WP-CLI to verify the change:

  1. Check the relevant option:
    wp option get lastudio_element_kit_settings (Verify the exact option name in the source).
  2. Verify if the "malicious_value" or updated configuration is present in the output.

9. Alternative Approaches

  • Missing Nonce Check: If check_ajax_referer is absent, the exploit is a direct POST request with no nonce.
  • REST API: Check if the plugin registers any REST routes via register_rest_route that lack a permission_callback or use __return_true.
  • Settings Injection: If the plugin allows updating arbitrary options (unlikely but possible), target the users_can_register option to enable site-wide registration.
Research Findings
Static analysis — not yet PoC-verified

Summary

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check in its AJAX handlers. This allows unauthenticated attackers to update plugin configurations by sending crafted requests to the WordPress AJAX endpoint.

Security Fix

--- a/includes/class-ajax.php
+++ b/includes/class-ajax.php
@@ -12,6 +12,9 @@
 	public function save_plugin_settings() {
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error();
+		}
+		check_ajax_referer( 'la-el-kit-nonce', 'security' );
 		$settings = $_POST['settings'];
 		update_option( 'la_el_kit_settings', $settings );
 		wp_send_json_success();
 	}

Exploit Outline

The exploit involves sending a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the plugin's settings-save handler (e.g., 'lastudio_element_kit_save_settings'). The attacker includes a 'settings' array containing malicious or unauthorized configuration values. Since the handler fails to verify the user's capabilities via current_user_can(), the request is processed even if the attacker is unauthenticated. If a security nonce is checked, it can typically be retrieved from the page source where the plugin's scripts are localized and enqueued.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.