Search

CVE-2026-0920 Backdoor in LA-Studio Element Kit for Elementor Impacts 20,000 WordPress Sites

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in Australian Financial Services

Australia’s financial services sector sits at the epicenter of...
Read more
AI and security

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

What happened Microsoft has developed a lightweight scanner designed to...
Read more
Cyber threats and incidents

EDR-Killer Malware Abuse via SonicWall SSLVPN Exploit Chain

What happened Security researchers have detailed a malware campaign in...
Read more
Cyber threats and incidents

Cisco Meeting Management Vulnerability Lets Remote Attackers Upload Arbitrary Files

What happened A high-severity vulnerability in Cisco Meeting Management was...
Read more
Cyber threats and incidents

Zendesk Spam Wave Returns, Floods Users With ‘Activate Account’ Emails

What happened A new wave of spam emails leveraging Zendesk...
Read more

Share

What happened

20,000 WordPress sites affected by backdoor vulnerability after a critical issue was identified in LA-Studio Element Kit for Elementor, a WordPress plugin reported as used by more than 20,000 active sites. The vulnerability, tracked as CVE-2026-0920 with a CVSS score of 9.8, allows attackers to create administrator accounts without authentication by sending a crafted registration request containing the lakit_bkrole parameter. The report said the backdoor was introduced by a former employee who modified plugin code shortly before leaving in late December 2025, inserting hidden logic into the ajax_register_handle function within the registration workflow. Researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham reported the issue through the Wordfence Bug Bounty Program, and Wordfence analysts identified the flaw and described a patch in version 1.6.0 released January 14, 2026.

Who is affected

Organizations and individuals operating WordPress sites using LA-Studio Element Kit for Elementor are directly affected, particularly on versions up to and including 1.5.6.3. Indirectly affected parties include site visitors and customers if compromised sites are used for malware distribution, credential theft, or payment diversion.

Why CISOs should care

Unauthenticated admin creation is a full-site takeover path that can enable persistent backdoors, data theft, and supply-chain abuse via injected scripts. The insider-backdoor element highlights governance risk in plugin supply chains and how compromised third-party code can undermine web security controls.

3 practical actions

  • Patch the plugin immediately: Upgrade LA-Studio Element Kit for Elementor to version 1.6.0 or later and validate removal of vulnerable versions.
  • Audit WordPress admin accounts: Review administrator lists and registration logs for suspicious account creation and unexpected lakit_bkrole parameter usage.

Harden plugin supply chain controls: Reduce plugin sprawl, restrict update privileges, and implement integrity monitoring for web content and plugin directories.

Previous article
GenAI-Powered Web Attacks Dynamically Generate Malicious JavaScript in Victims’ Browsers
Next article
MacSync macOS Infostealer Uses ClickFix-Style Social Engineering to Run Terminal Commands
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in Australian Financial Services

Australia’s financial services sector sits at the epicenter of...
AI and security

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

What happened Microsoft has developed a lightweight scanner designed to...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.