Critical Backdoor in LA-Studio Element Kit for Elementor Exposes 20,000+ WordPress Sites
A severe backdoor vulnerability (CVE-2026-0920, CVSS 9.8) in the LA-Studio Element Kit for Elementor plugin has left over 20,000 WordPress installations vulnerable to unauthenticated attacks. The flaw allows attackers to create administrator accounts and fully compromise affected sites by exploiting the lakit_bkrole parameter during user registration, bypassing role restrictions.
The malicious code, deliberately obfuscated, was traced to a former LA-Studio employee who injected it before departing in December 2025. The vulnerability resides in the ajax_register_handle function within the LA-Studio_Kit_Integration class, enabling attackers to upload malicious files, alter content, inject spam, or redirect visitors to phishing sites all without authentication.
Security firm Wordfence discovered the flaw on January 12, 2026, validating the exploit within 24 hours. LA-Studio responded swiftly, releasing a patched version (1.6.0) on January 14, 2026. Researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham earned a $975 bounty for the responsible disclosure.
Protection measures were rolled out in phases: Wordfence Premium, Care, and Response users received firewall rules on January 13, 2026, while free users will gain access on February 12, 2026. The incident highlights risks posed by insider threats and underscores the need for stricter code audits, developer monitoring, and offboarding protocols in plugin development. Site administrators are advised to update immediately to version 1.6.0 to mitigate the threat.
Source: https://gbhackers.com/wordpress-sites-3/
L.A. Design Studio cybersecurity rating report: https://www.rankiteo.com/company/l-a-design-studio
"id": "L-A1769207278",
"linkid": "l-a-design-studio",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '20,000+ WordPress site '
'installations',
'industry': 'Web Development / WordPress Plugins',
'name': 'LA-Studio',
'type': 'Software Vendor (WordPress Plugin '
'Developer)'}],
'attack_vector': 'Unauthenticated remote exploitation via `lakit_bkrole` '
'parameter',
'customer_advisories': 'Users of affected WordPress sites advised to check '
'for unauthorized administrator accounts and malicious '
'content',
'data_breach': {'personally_identifiable_information': 'Potential (if '
'accessed by '
'attackers)',
'sensitivity_of_data': 'High (administrator account creation, '
'full site control)',
'type_of_data_compromised': 'Potential site data, user '
'accounts, content'},
'date_detected': '2026-01-12',
'date_publicly_disclosed': '2026-01-14',
'date_resolved': '2026-01-14',
'description': 'A severe backdoor vulnerability (CVE-2026-0920, CVSS 9.8) in '
'the LA-Studio Element Kit for Elementor plugin has left over '
'20,000 WordPress installations vulnerable to unauthenticated '
'attacks. The flaw allows attackers to create administrator '
'accounts and fully compromise affected sites by exploiting '
'the `lakit_bkrole` parameter during user registration, '
'bypassing role restrictions. The malicious code, deliberately '
'obfuscated, was traced to a former LA-Studio employee who '
'injected it before departing in December 2025. The '
'vulnerability enables attackers to upload malicious files, '
'alter content, inject spam, or redirect visitors to phishing '
'sites without authentication.',
'impact': {'brand_reputation_impact': 'High (public disclosure of insider '
'threat and vulnerability)',
'data_compromised': 'Potential unauthorized access to site data, '
'malicious file uploads, content alteration',
'identity_theft_risk': 'Potential (if personally identifiable '
'information was accessed)',
'operational_impact': 'Full site compromise, potential defacement, '
'spam injection, phishing redirects',
'systems_affected': '20,000+ WordPress sites using LA-Studio '
'Element Kit for Elementor'},
'initial_access_broker': {'backdoors_established': 'Obfuscated backdoor in '
'`ajax_register_handle` '
'function'},
'investigation_status': 'Resolved (patch released)',
'lessons_learned': 'Risks posed by insider threats, need for stricter code '
'audits, developer monitoring, and offboarding protocols '
'in plugin development',
'motivation': 'Insider threat (malicious intent post-departure)',
'post_incident_analysis': {'corrective_actions': 'Code review of plugin, '
'patch release, firewall '
'rules deployment, enhanced '
'offboarding security '
'protocols',
'root_causes': 'Malicious code injection by former '
'employee during plugin '
'development, lack of code audit '
'during offboarding'},
'recommendations': 'Update to LA-Studio Element Kit for Elementor version '
'1.6.0 immediately, implement code review and offboarding '
'security protocols, monitor for unauthorized changes',
'references': [{'source': 'Wordfence'}],
'response': {'communication_strategy': 'Public disclosure via Wordfence, '
'advisories to site administrators',
'containment_measures': 'Release of patched version (1.6.0) on '
'January 14, 2026',
'enhanced_monitoring': 'Firewall rules by Wordfence',
'recovery_measures': 'Immediate plugin update to version 1.6.0',
'remediation_measures': 'Firewall rules deployed by Wordfence '
'for Premium/Care/Response users '
'(January 13, 2026), free users '
'(February 12, 2026)',
'third_party_assistance': 'Wordfence (security firm)'},
'stakeholder_advisories': 'Site administrators advised to update plugin '
'immediately',
'threat_actor': 'Former LA-Studio employee',
'title': 'Critical Backdoor in LA-Studio Element Kit for Elementor Exposes '
'20,000+ WordPress Sites',
'type': 'Backdoor',
'vulnerability_exploited': 'CVE-2026-0920'}