Platform
wordpress
Component
lastudio-element-kit
Opgelost in
1.5.7
CVE-2026-0920 is a privilege escalation vulnerability discovered in the LA-Studio Element Kit for Elementor WordPress plugin. This flaw allows unauthenticated attackers to bypass user role restrictions and elevate their privileges to administrator level. The vulnerability impacts versions from 0.0.0 through 1.5.6.3, and a fix is available in version 1.6.0.
The impact of CVE-2026-0920 is severe. An attacker can exploit this vulnerability to gain complete control over a WordPress site by creating an administrator account without authentication. This grants them full access to all site data, including sensitive user information, financial records, and administrative configurations. They could modify content, install malicious plugins, redirect traffic, or even completely compromise the server. This vulnerability shares similarities with other WordPress plugin vulnerabilities where improper input validation leads to unauthorized access.
CVE-2026-0920 was publicly disclosed on 2026-01-22. The vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation. Check CISA and NVD for updates and potential KEV listing.
WordPress websites utilizing the LA-Studio Element Kit for Elementor plugin, particularly those running versions 0.0.0 through 1.5.6.3, are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'ajax_register_handle' /var/www/html/wp-content/plugins/la-studio-element-kit-for-elementor/• wordpress / composer / npm:
wp plugin list --status=all | grep 'la-studio-element-kit-for-elementor'• wordpress / composer / npm:
wp plugin update la-studio-element-kit-for-elementordisclosure
Exploit Status
EPSS
0.06% (17% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-0920 is to immediately upgrade the LA-Studio Element Kit for Elementor plugin to version 1.6.0 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent exploitation. As a short-term workaround, implement strict user role management policies within WordPress to limit the potential impact of a successful attack. Monitor WordPress access logs for suspicious user registration attempts, particularly those involving unusual role assignments. After upgrading, verify the fix by attempting to register a user with an unauthorized role (e.g., 'lakit_bkrole=administrator') and confirming that the registration fails.
Update to version 1.6.0, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-0920 is a critical vulnerability in the LA-Studio Element Kit for Elementor WordPress plugin allowing unauthenticated attackers to gain administrator access.
You are affected if you are using LA-Studio Element Kit for Elementor versions 0.0.0 through 1.5.6.3. Upgrade immediately.
Upgrade the LA-Studio Element Kit for Elementor plugin to version 1.6.0 or later. Disable the plugin as a temporary workaround if upgrading is not possible.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor your systems closely.
Refer to the LA-Studio Element Kit website and WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.