Critical Backdoor Found in LA-Studio Element Kit Plugin, 20,000+ Sites at Risk

Listen to this Post

Featured Image
A severe security flaw has been uncovered in the LA-Studio Element Kit, a popular Elementor plugin for WordPress, putting more than 20,000 active websites at risk of complete compromise. Discovered on January 12, 2026, the vulnerability allows attackers to create administrator accounts without any authentication, effectively giving them full control over affected sites. This flaw underscores the growing risks of insider threats and the importance of rapid vulnerability disclosure.

Overview of the Vulnerability

The LA-Studio Element Kit, an add-on offering header builders, widgets, and WooCommerce integrations, suffered a backdoor inserted by a departing employee in December 2025. Security firm Wordfence confirmed the flaw and rewarded researchers Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), and Waris Damkham with $975 for their discovery through the Wordfence Bug Bounty Program. The vulnerability received a CVSS score of 9.8 (Critical) and was tracked under CVE-2026-0920.

Affected plugin versions span from the initial release up to 1.5.6.3, with the patch released in version 1.6.0 on January 14, 2026. Wordfence Premium, Care, and Response users were protected as early as January 13, while free users will gain firewall coverage by February 12. Immediate updates are strongly advised to prevent exploitation.

How the Exploit Works

The backdoor resides in the LaStudio_Kit_Integration class, specifically within the ajax_register_handle() function that handles user registrations. Attackers can supply a hidden parameter, lakit_bkrole, which triggers obfuscated code to grant administrator privileges to any new user.

The method ajax_register_handle_backup() modifies user capabilities, and a filter in the plugin further obfuscates role assignment using string manipulation. Notably, the LaStudio_Kit_Helper::lakit_active() function initially returns adstrator, which is programmatically corrected to administrator, bypassing standard security scans.

To exploit the flaw, an unauthenticated attacker simply sends a POST request to the registration endpoint containing lakit_bkrole, a username, email, and password. The attacker gains full admin access, allowing them to upload plugins or themes, insert persistent backdoors, manipulate content, or redirect visitors.

Hidden Patch History

Wordfence noted that prior changelog entries labeled “Fixed security issue” in versions 1.5.6.3 and 1.5.6.4 did not fully address the backdoor. The vulnerability persisted until version 1.6.0, highlighting the risk of relying solely on changelog notes for security verification.

Immediate Action for WordPress Administrators

Update immediately to LA-Studio Element Kit version 1.6.0 or higher.

Scan for rogue admin users by reviewing the wp_users table, especially recent registrations.

Enable security firewalls like Wordfence to block ongoing attacks.

Check access logs for suspicious POST requests to /wp-admin/admin-ajax.php with the lakit_bkrole parameter.

Implement strong offboarding procedures, including credential revocation and post-termination code audits.

What Undercode Say:

The LA-Studio Element Kit backdoor is a textbook example of insider threats combined with plugin vulnerabilities in WordPress. Unlike common flaws that attackers must discover externally, this was deliberately planted, giving malicious insiders the ability to bypass authentication controls entirely.

The use of obfuscated code and string manipulation to transform adstrator into administrator is both clever and alarming. It demonstrates how attackers exploit small coding oversights and trust in automated scanning tools. Many WordPress sites rely on changelogs to gauge security; this incident proves that changelogs alone are not reliable indicators of a fix.

From a threat perspective, this backdoor could have allowed attackers to:

Install malicious plugins or themes, creating persistent access.

Redirect traffic or inject malware for SEO poisoning or phishing campaigns.

Exfiltrate sensitive customer and transactional data from WooCommerce stores.

Conduct site-wide defacement or ransomware deployment.

This incident also highlights the critical importance of offboarding procedures. Organizations often overlook the fact that a departing developer or contractor can introduce serious vulnerabilities. Routine audits, code reviews, and post-exit monitoring should be mandatory for all WordPress operations, especially those with e-commerce integrations.

Administrators must act swiftly. The combination of high CVSS score, unauthenticated access, and widespread adoption makes this a high-priority patch for the WordPress ecosystem. Firewalls and active monitoring are essential to mitigate ongoing threats while updates are applied.

Fact Checker Results:

✅ Confirmed Vulnerability – Wordfence validated the backdoor and awarded researchers via Bug Bounty.
✅ Patch Released – Version 1.6.0 addresses the issue fully.
❌ Partial Fixes Ineffective – Prior versions masked the flaw but did not eliminate it.

Prediction:

⚠️ Expect rapid exploitation attempts against unpatched sites in the coming weeks.
⚡ Large-scale compromise campaigns could target WooCommerce stores using outdated versions.
🔒 Long-term impact may drive stricter offboarding policies and more aggressive WordPress security scanning tools.

If you want, I can also create a visual diagram showing the exploit flow to make this vulnerability easier to understand for non-technical admins. It could be very useful for security awareness training. Do you want me to do that?

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon