LA-Studio: 20,000 WordPress Sites Affected by Backdoor Vulnerability Allowing Malicious Admin User Creation

Critical Backdoor in LA-Studio Element Kit for Elementor Exposes 20,000+ WordPress Sites

A severe backdoor vulnerability (CVE-2026-0920) has been discovered in the LA-Studio Element Kit for Elementor, a WordPress plugin with over 20,000 active installations. The flaw, rated 9.8 on the CVSS scale, allows unauthenticated attackers to create administrator accounts, enabling full site takeovers.

The backdoor was introduced by a former LA-Studio employee who modified the plugin’s code before departing in late December 2025. The malicious functionality, hidden within the plugin’s user registration system, remained undetected until security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham identified it on January 12, 2026, via the Wordfence Bug Bounty Program.

Exploitation occurs via a specially crafted registration request containing the lakit_bkrole parameter, granting attackers administrative privileges. Once exploited, they can upload malicious files, alter content, redirect visitors, or inject spam. The vulnerability affects all versions up to and including 1.5.6.3, with a patch (version 1.6.0) released on January 14, 2026.

Wordfence analysts noted the backdoor was deliberately obfuscated using string manipulation and indirect function calls, making it difficult to detect during standard security reviews. The flaw specifically targeted the ajax_register_handle function, bypassing normal registration checks when the hidden parameter was present.

Wordfence provided protection for Premium users on January 13, 2026, with free users receiving coverage on February 12, 2026. The incident underscores the risks of insider threats and the need for rigorous code review during employee transitions.

Source: https://cybersecuritynews.com/20000-wordpress-sites-affected-by-backdoor-vulnerability/

lu — la studio cybersecurity rating report: https://www.rankiteo.com/company/lu-lastudio

"id": "LU-1769200137",
"linkid": "lu-lastudio",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': '20,000+ active installations',
                        'industry': 'WordPress Plugin Development',
                        'name': 'LA-Studio',
                        'type': 'Company'}],
 'attack_vector': 'Unauthenticated remote exploitation via crafted '
                  'registration request',
 'customer_advisories': 'Affected users advised to update the plugin '
                        'immediately',
 'date_detected': '2026-01-12',
 'date_publicly_disclosed': '2026-01-14',
 'date_resolved': '2026-01-14',
 'description': 'A severe backdoor vulnerability (CVE-2026-0920) has been '
                'discovered in the LA-Studio Element Kit for Elementor, a '
                'WordPress plugin with over 20,000 active installations. The '
                'flaw allows unauthenticated attackers to create administrator '
                'accounts, enabling full site takeovers. The backdoor was '
                'introduced by a former LA-Studio employee who modified the '
                'plugin’s code before departing in late December 2025. The '
                'malicious functionality was hidden within the plugin’s user '
                'registration system and remained undetected until identified '
                'by security researchers on January 12, 2026.',
 'impact': {'brand_reputation_impact': 'Potential damage to LA-Studio and '
                                       'affected site owners',
            'operational_impact': 'Full site takeovers, malicious file '
                                  'uploads, content alteration, visitor '
                                  'redirection, spam injection',
            'systems_affected': '20,000+ WordPress sites'},
 'initial_access_broker': {'backdoors_established': 'Hidden parameter '
                                                    '`lakit_bkrole` in user '
                                                    'registration system'},
 'investigation_status': 'Resolved',
 'lessons_learned': 'Risks of insider threats and the need for rigorous code '
                    'review during employee transitions',
 'motivation': 'Insider threat',
 'post_incident_analysis': {'corrective_actions': 'Patch released; enhanced '
                                                  'monitoring by Wordfence; '
                                                  'code review process '
                                                  'improvements',
                            'root_causes': 'Malicious code introduced by '
                                           'former employee; obfuscation '
                                           'techniques used to evade '
                                           'detection'},
 'recommendations': 'Update LA-Studio Element Kit for Elementor to version '
                    '1.6.0 or later; implement stricter code review processes '
                    'for employee transitions',
 'references': [{'source': 'Wordfence Bug Bounty Program'}],
 'response': {'containment_measures': 'Patch released (version 1.6.0)',
              'enhanced_monitoring': 'Wordfence protection for Premium users '
                                     '(2026-01-13), free users (2026-02-12)',
              'remediation_measures': 'Plugin update to version 1.6.0',
              'third_party_assistance': 'Wordfence Bug Bounty Program'},
 'threat_actor': 'Former LA-Studio employee',
 'title': 'Critical Backdoor in LA-Studio Element Kit for Elementor Exposes '
          '20,000+ WordPress Sites',
 'type': 'Backdoor',
 'vulnerability_exploited': 'CVE-2026-0920'}