CVE-2026-0920

CVE-2026-0920 affects the WordPress plugin “LA-Studio Element Kit for Elementor” (≤ 1.5.6.3). The root cause is a missing role restriction in the AJAX registration handler (ajax_register_handle), which lets unauthenticated users supply the lakit_bkrole parameter and create an administrator accoun...

CVE-2026-0920 LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajaxregisterhandle' function not restricting what user roles a user can register with. This makes it possible for...

WordPress LA-Studio Element Kit for Elementor plugin <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter vulnerability

Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakitbkrole parameter vulnerability discovered by WordFence in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.5.6.3...