A important backdoor vulnerability has been found within the LA-Studio Component Package for Elementor, a well-liked WordPress plugin utilized by greater than 20,000 lively websites.
This safety flaw permits attackers to create administrator accounts with none authentication, placing 1000’s of internet sites prone to full takeover.
The vulnerability, tracked as CVE-2026-0920, carries a CVSS rating of 9.8, marking it as a important risk that requires instant motion from web site directors.
The backdoor was launched by a former worker who left the corporate in late December 2025. In line with LA-Studio, the developer modified the plugin code shortly earlier than their employment ended, inserting hidden performance that permits unauthorized administrator account creation.
This incident highlights the rising concern round insider threats and the significance of code assessment processes throughout worker transitions.
Safety researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham found the vulnerability on January 12, 2026, and reported it by means of the Wordfence Bug Bounty Program.
Wordfence analysts recognized the flaw inside the plugin’s person registration system, particularly within the ajax_register_handle operate. The vulnerability was patched shortly, with model 1.6.0 launched on January 14, 2026, simply two days after the preliminary report.
The vulnerability exists in all variations as much as and together with 1.5.6.3 of the LA-Studio Component Package for Elementor plugin. Attackers can exploit this flaw by sending a specifically crafted registration request containing the lakit_bkrole parameter.
As soon as profitable, they achieve full administrative entry to the focused WordPress web site, permitting them to add malicious information, modify content material, redirect guests to dangerous web sites, or inject spam content material.
Vulnerability Particulars:-
AttributeDetailsVulnerability NameUnauthenticated Privilege Escalation through Backdoor to Administrative Person CreationCVE IDCVE-2026-0920CVSS Score9.8 (Important)Affected PluginLA-Studio Component Package for ElementorPlugin Sluglastudio-element-kitAffected Variations≤ 1.5.6.3Patched Version1.6.0Active Installations20,000+Assault Vectorlakit_bkrole parameter in registration requestVulnerability TypeBackdoor / Administrative Person CreationDiscoverersAthiwat Tiprasaharn, Itthidej Aramsri, Waris DamkhamBounty Quantity$975.00Discovery DateJanuary 12, 2026Patch Launch DateJanuary 14, 2026Wordfence ProtectionJanuary 13, 2026 (Premium), February 12, 2026 (Free)
Wordfence researchers famous that the backdoor code was intentionally obfuscated to keep away from detection throughout safety opinions. This evasion method made the malicious performance tougher to identify, permitting it to stay hidden inside the plugin’s codebase.
The obfuscated code particularly focused the person registration course of, including administrator capabilities to newly created accounts when the hidden parameter was current.
The Obfuscated Backdoor Mechanism
The backdoor operates by means of a fastidiously hidden modification inside the plugin’s registration dealing with system.
When analyzing the code, Wordfence analysts discovered that the ajax_register_handle operate contained obfuscated logic that checked for the presence of the lakit_bkrole parameter throughout person registration.
If this parameter was detected, the operate would set off extra filters that assigned administrator privileges to the newly created account.
The obfuscation included methods like string manipulation and oblique operate calls, making the malicious code mix seamlessly with respectable plugin performance.
This intelligent disguise allowed the backdoor to bypass normal safety audits and stay undetected till researchers particularly investigated suspicious patterns within the registration workflow.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
