CVE-2026-0920

CRITICAL EXPLOITED

LA-Studio Element Kit - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2026-0920 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including John-doe-code-a11, O99099O, Galaxy-sc.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2026-0920, targeting a backdoor in LA-Studio Element Kit for Elementor. The exploit automates the creation of an administrator account via a crafted AJAX request with a hidden parameter.

Description

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.

Exploits (4)

nomisec WORKING POC 4 stars

by John-doe-code-a11 · remote

https://github.com/John-doe-code-a11/CVE-2026-0920

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2026-0920, targeting a backdoor in LA-Studio Element Kit for Elementor. The exploit automates the creation of an administrator account via a crafted AJAX request with a hidden parameter.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: LA-Studio Element Kit for Elementor (versions ≤ 1.5.6.3)

No auth needed

Prerequisites: Valid WordPress AJAX nonce · Target URL

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by O99099O · remote

https://github.com/O99099O/By-Poloss..-..CVE-2026-0920

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-0920, targeting LA-Studio Element Kit for Elementor versions up to 1.5.6.3. The exploit automates the creation of unauthorized administrator accounts via an unauthenticated vulnerability in the plugin's AJAX registration functionality.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: LA-Studio Element Kit for Elementor <= 1.5.6.3

No auth needed

Prerequisites: Target must be running WordPress with LA-Studio Element Kit plugin <= 1.5.6.3 · Plugin must be accessible via AJAX endpoints

MITRE ATT&CK

T1133 - External Remote Services T1078 - Valid Accounts

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Galaxy-sc · remote

https://github.com/Galaxy-sc/CVE-2026-0920-WordPress-LA-Studio-Exploit

View Code ZIP pw:eip

This repository contains a functional Go-based exploit for CVE-2026-0920, targeting a backdoor in the LA-Studio Element Kit WordPress plugin. The exploit automates the creation of an unauthenticated admin account by injecting a malicious JSON payload into the 'lakit_ajax' endpoint.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress Plugin LA-Studio Element Kit <= 1.5.6.3

No auth needed

Prerequisites: Target URL with vulnerable plugin installed · Valid nonces (auto-scraped or manually provided)

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Nxploited · poc

https://github.com/Nxploited/CVE-2026-0920-

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-0920, targeting a vulnerability in LaStudioKit (likely a WordPress plugin). The exploit automates the extraction of an 'ajaxNonce' value and performs an unauthorized admin registration by crafting a malicious request to '/wp-admin/admin-ajax.php'.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: LaStudioKit (WordPress plugin)

No auth needed

Prerequisites: Target must be running vulnerable LaStudioKit plugin · Access to the WordPress admin-ajax.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 19, 2026 Full analysis →

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301

Product

https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 20.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-01-21

CWE

CWE-269

Status published

Products (1)

choijun/LA-Studio Element Kit for Elementor < 1.5.6.3

Published Jan 22, 2026

Tracked Since Feb 18, 2026