20,000 WordPress Sites Exposed to Backdoor in LA-Studio Element Kit
Take action: If you are using Element Kit for Elementor, this is URGENT. Your plugin may have an active backdoor. Update the LA-Studio Element Kit plugin to version 1.6.0 immediately to remove the backdoor and review your Wordpress server users for unexpected user accounts.
Learn More
LA-Studio fixed a critical backdoor flaw in its Element Kit for Elementor plugin. Apparently a former employee planted the malicious code in December 2025 shortly before their termination. This backdoor lets attackers create new administrator accounts without needing any existing login credentials.
The flaw is tracked as CVE-2026-0920 (CVSS score 9.8), a backdoor in the plugin's registration logic. An attacker can a registration request with a hidden parameter called 'lakit_bkrole' to trigger the exploit.
The developer used obfuscation to hide the backdoor from security tools. The code manipulated strings to build the administrator role name dynamically, making it hard for scanners to see. This allowed the malicious function to stay hidden in the ajax_register_handle function until manual review caught it.
Security researchers at Wordfence discovered the issue on January 12, 2026.
LA-Studio released version 1.6.0 on January 14, 2026, to remove the backdoor. All users running versions 1.5.6.3 or older must update their plugins now.
