Critical Backdoor in LA‑Studio Element Kit for Elementor (CVE‑2026‑0920) — What WordPress Site Owners Must Do Now

Updated: 21 Jan 2026
CVE: CVE‑2026‑0920 — Plugin versions <= 1.5.6.3 are vulnerable; fixed in 1.6.0.
Severity: CVSS 9.8 (High). Attack vector: Unauthenticated. Classification: Backdoor / Privilege Escalation.

TL;DR

A backdoor was discovered in the LA‑Studio Element Kit for Elementor (≤1.5.6.3). It allows unauthenticated attackers to create administrative users via a hidden parameter (reported as lakit_bkrole), enabling full control of affected sites. If you run this plugin on any WordPress site, treat this as an emergency.

• Verify the plugin version immediately. If you run ≤ 1.5.6.3, update to 1.6.0 or later now.
• If you cannot update immediately, deactivate or remove the plugin and apply immediate virtual patching or firewall rules where possible.
• Scan for newly created administrators, suspicious user accounts, and unexpected files or modifications.
• If compromise is suspected, follow incident response steps: isolate, investigate, recover, harden.

Why this is so urgent

Backdoor vulnerabilities are among the most dangerous WordPress issues because they allow attackers to retain long‑term, stealthy access. The LA‑Studio Element Kit backdoor is particularly severe because it:

• Is exploitable without any authentication (any remote actor can trigger it).
• Allows creation of administrative accounts (full site control).
• Was embedded in plugin code in a way that bypasses normal permission checks.
• Has high impact across confidentiality, integrity, and availability per CVSS.

When a backdoor can create admins, an attacker can install additional backdoors, deploy malware, steal data, or render sites unusable. Attackers typically scan for known vulnerable plugins soon after disclosure — fast action is essential.

What we know about the vulnerability (summary)

• Affected software: LA‑Studio Element Kit for Elementor (WordPress plugin)
• Vulnerable versions: any release at or below 1.5.6.3
• Fixed in: 1.6.0
• Vulnerability type: backdoor leading to unauthenticated privilege escalation (administrative user creation)
• Vector: The plugin exposes an undocumented entry point that accepts a special parameter (identified as lakit_bkrole in public reporting). This triggers creation of a user with administrative capabilities if certain code paths are invoked.
• Discovery: Reported by security researchers and publicly disclosed on 21 Jan 2026.
• CVE: CVE‑2026‑0920
• CVSS v3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Note: Attack payloads are not reproduced here; the goal is to help defenders detect, mitigate, and recover.

How the attack works (high level — defender focused)

Researchers found a code path within the plugin that accepts remote input and processes it in a way that leads to user creation. The parameter name referenced in reports is lakit_bkrole — likely an internal/back‑end management entry left exposed and insufficiently validated.

A remote attacker can send an HTTP request including this parameter to invoke logic that creates a new user with admin privileges or modifies role assignment behavior. Because no authentication check is required for that entry point in affected versions, a fully privileged user account can be created without any login.

Consequences of an attacker creating an administrator account include:

• Full access to WP Admin and the file system through plugins and themes.
• Ability to install persistent backdoors and cron jobs.
• Possible exfiltration of database contents and user data.
• Hijack of e‑mail, payment, affiliate, or other business workflows.
• Post‑compromise monetization (malware, SEO spam, redirectors).

Real attack scenarios

• Mass compromise: Attackers scan for sites with the vulnerable plugin and create admin users across thousands of sites.
• Targeted takeover: A motivated attacker targets high‑value sites, creates an admin, then pivots within an organization.
• Supply chain abuse: If the site stores privileged API credentials, these can be stolen and abused beyond the site itself.

Am I vulnerable? Immediate checks

1. Plugin version

   Check WordPress Admin → Plugins and verify the active version of “LA‑Studio Element Kit for Elementor”. Or use WP‑CLI:

   wp plugin list --format=table | grep lastudio-element-kit

   If version ≤ 1.5.6.3, you are vulnerable.

2. New or unexpected administrator accounts

   Check All Users in WP Admin for users you don’t recognize. WP‑CLI:

   wp user list --role=administrator --fields=ID,user_login,user_email,display_name,registered

   Look for recently created users (same day as disclosure or after).

3. Suspicious users and roles

   Check for non‑standard roles or users with unexpected capabilities. Dump roles via WP‑CLI:

   wp eval 'print_r(get_editable_roles());'

4. File modifications and suspicious files

   Look for modified plugin files or unexpected PHP files in uploads or plugin directories. Simple server checks:

   find /path/to/wp-content -type f -mtime -30 -name '*.php' -ls

   Search plugin folder for the keyword lakit_bkrole (indication of backdoor code or references):

   grep -R --line-number "lakit_bkrole" wp-content/plugins/lastudio-element-kit

5. Logs and access patterns

   Check webserver logs for unusual POST/GET requests to plugin endpoints, especially those with unusual parameters.

6. Database check

   Query the user table for recent entries:

   SELECT ID,user_login,user_email,user_registered FROM wp_users WHERE user_registered > '2026-01-01' ORDER BY user_registered DESC;

If any checks show suspicious results — treat the site as potentially compromised.

Immediate mitigation steps (first 60 minutes)

If you confirm you have the vulnerable plugin installed or can’t verify quickly, follow these actions immediately.

1. Update the plugin to 1.6.0 or later immediately.

   This is the definitive fix from the developer.

2. If update is not possible right away:
   • Deactivate the plugin immediately via WP Admin → Plugins → Deactivate, or:

   wp plugin deactivate lastudio-element-kit

   • If deactivation fails, remove or rename the plugin folder from the filesystem (rename instead of deleting to preserve files for investigation):

   mv wp-content/plugins/lastudio-element-kit wp-content/plugins/lastudio-element-kit.bak

3. Apply virtual patching / firewall rules where available.

   If you operate an application firewall (WAF) or host‑level firewall, add rules blocking requests that match the signature (requests invoking plugin endpoints with the lakit_bkrole parameter). Virtual patching can stop remote attempts immediately and buy time to patch and investigate. Tune rules to avoid false positives.

4. Lock down access.
   • Temporarily block traffic from suspicious IP ranges if you see scanning behavior.
   • Restrict admin access to known IPs via .htaccess, hosting control panel, or firewall.
5. Rotate credentials.
   • Change administrative passwords (WP Admin, database user, hosting panel, FTP/SSH).
   • Revoke any API keys, OAuth tokens, or service integrations the site holds and issue new credentials after you are sure the site is clean.
6. Check for persistence.

   Search for backdoors in uploads and plugin/theme folders, malicious scheduled tasks (cron entries), edits to wp-config.php, and added mu‑plugins.

7. Snapshot and preserve.

   Take a full backup (file‑system + database) and a forensic snapshot of the server for investigation before making further changes.

How to clean and recover (if compromise is confirmed)

If you find evidence of compromise (new admin, unknown PHP files, webshells, modified core/plugin/theme files) follow a structured recovery process.

1. Isolate and preserve
   • Take the site offline or put it into maintenance mode.
   • Preserve logs, backups, and copies of suspicious files for investigators.
2. Identify scope
   • Inventory malicious artifacts, newly added admin accounts, and timeline of events.
   • Determine what data may have been exfiltrated (user lists, payments, stored credentials).
3. Remove backdoors
   • Replace modified core, plugin, and theme files with clean versions from official sources.
   • Remove suspicious files in uploads, mu‑plugins, and other writable directories.
4. Clean database
   • Remove unauthorized administrator accounts and suspicious user meta.
   • Check for malicious options in wp_options (cron hooks, autoloaded options).
5. Harden and restore
   • Reinstall the plugin with the fixed version (1.6.0 or later), or remove the plugin entirely if you cannot trust it.
   • Reset all passwords and rotate credentials.
   • Ensure WordPress core, themes, and all plugins are updated.
6. Post‑recovery monitoring
   • Enable enhanced logging and integrity monitoring to detect re‑insertion of backdoors.
   • Monitor outbound connections from the server for exfiltration activity.

If recovery is beyond your team’s capacity, engage an experienced incident response provider.

Detection & Indicators of Compromise (IoCs) — What to look for

• Newly created administrator accounts correlated around 21 Jan 2026 onward.
• Unusual HTTP requests to plugin endpoints, especially those containing parameters like lakit_bkrole.
• Unexpected PHP files in:
  • wp-content/uploads/
  • wp-content/plugins/lastudio-element-kit/
  • wp-content/mu-plugins/
• Abnormal scheduled events (wp‑cron) or added mu‑plugins that persist after plugin removal.
• Unexplained changes to wp_options (malicious autoloaded entries).
• Outbound network connections to suspicious IPs or domains originating from the webserver.

Keep copies of suspicious files for analysis and reporting.

WAF / Virtual patching guidance (technical)

If you manage your own WAF or server firewall, consider these conservative defensive measures (defensive only):

• Block requests to the plugin’s public endpoints when they contain the suspicious parameter name or unusual role assignment attempts.
• Block or rate‑limit requests that include keywords associated with the vulnerability (use careful pattern matching to avoid false positives).
• Block POST/GET requests to the plugin path from unknown user agents or with suspicious payload sizes where feasible.
• Create rules to alert on any HTTP requests to the plugin path that result in backend changes (e.g., 200 responses that coincide with user creation).

Conceptual pseudo‑rule:

If request path contains '/wp-content/plugins/lastudio-element-kit/' AND request parameters include 'lakit_bkrole' THEN block and log.

Tune signatures to avoid disrupting legitimate admin traffic.

Hardening recommendations (beyond patching)

• Principle of least privilege: Only grant admin role to accounts that truly need it. Use dedicated service accounts with scoped permissions.
• Multi‑factor authentication: Enforce MFA for all admin accounts.
• Regular backups: Daily off‑site backups with versioning and regular restore tests.
• File integrity monitoring: Alert on unexpected file changes in wp-content, wp-config.php, and other critical files.
• Security headers and HTTPS: Ensure TLS is up to date and apply security headers (HSTS, CSP where appropriate).
• Restrict file editing: Disable theme and plugin file editing in WordPress via wp-config.php:

  define('DISALLOW_FILE_EDIT', true);

• Limit admin area access: Use server or firewall controls to allow admin area access only from known IP ranges where feasible.
• Vulnerability management: Monitor for plugin updates and subscribe to reputable vulnerability feeds.
• Sandboxed environments: Test plugin updates in staging before deploying to production.

Incident response playbook (concise)

1. Detect: Identify suspicious activity via logs, WAF alerts, or integrity alerts.
2. Contain: Temporarily deactivate the vulnerable plugin and block attack traffic.
3. Analyze: Preserve logs/backups and scan for artifacts.
4. Eradicate: Remove malicious files, accounts, and patch the vulnerability.
5. Recover: Restore clean site and verify functionality; rotate credentials.
6. Post‑incident: Conduct a root cause analysis, adjust controls, and document lessons learned.

Frequently asked questions

Q: I updated the plugin — do I still need to scan my site?

A: Yes. Updating fixes the code path for future exploitation but does not remove backdoors or users that an attacker may have created before the update. Scan and audit for persistence.

Q: Can I rely solely on a WAF instead of updating?

A: A WAF provides immediate protection (virtual patching), but the plugin should still be updated as the definitive fix. WAFs can fail on edge cases; defence in depth is essential.

Q: What if I find a suspicious admin account — should I delete it?

A: Preserve evidence first (export user details and logs). Then disable (change password, remove sessions) and, if confirmed malicious, delete. Ensure you rotate other credentials.

Q: How do I check for hidden backdoors I can’t find?

A: Use multiple scanners, compare files with clean plugin/theme copies, and check scheduled tasks and database hooks. If unsure, consult a forensic team.

Timeline (recommended actions immediately)

• 0–15 minutes: Confirm plugin version. If vulnerable, deactivate or apply firewall rules. Change critical passwords.
• 15–60 minutes: Perform scans for new admins and suspicious files. Snapshot server and preserve logs.
• 1–24 hours: Update plugin to 1.6.0 (or remove plugin if you can’t trust it). Clean any discovered persistence.
• 24–72 hours: Continue monitoring, harden, rotate credentials and conduct a full audit.
• Ongoing: Maintain vulnerability scanning, firewall protection, and scheduled backups.

Why virtual patching and WAF matter for incidents like this

Backdoors are frequently exploited within hours of public disclosure. Virtual patching — where firewall rules block exploit attempts — gives site owners a critical window to patch and investigate. It is not a substitute for updating code, but it buys time and can prevent mass compromise while you follow remediation steps.

Example safe commands and checks (defensive only)

• List installed plugin & version:

  wp plugin list --format=csv | grep lastudio-element-kit

• Deactivate plugin:

  wp plugin deactivate lastudio-element-kit

• List administrators:

  wp user list --role=administrator --format=csv

• Search plugin folder for suspicious tokens (defensive):

  grep -R --line-number "lakit_bkrole" wp-content/plugins/lastudio-element-kit || true

• Find recently modified PHP files:

  find wp-content -type f -name '*.php' -mtime -30 -ls

Final notes for site owners and managers (Hong Kong security expert perspective)

From a Hong Kong security practitioner’s viewpoint: treat this disclosure as an operational emergency if you host the vulnerable plugin. Rapid, calm, and coordinated action reduces damage — confirm version, isolate if necessary, and engage appropriate technical resources.

Patching is the definitive fix; the plugin developer released version 1.6.0 to remediate the issue. If you cannot update immediately, remove or deactivate the plugin, apply conservative firewall rules to block exploit attempts, and perform a full audit.

Maintain routine audits, enforce least privilege, keep backups and monitoring in place, and ensure incident response procedures are practiced. These steps materially reduce the blast radius of incidents like this.

Closing

If you need specialist incident response or forensic help, engage an experienced provider promptly. For site owners in Hong Kong and the region: consider local incident response firms and hosting partners who understand regional regulations and can act rapidly. Stay vigilant and treat plugin upgrades and security monitoring as priority operational tasks — they are often the difference between a contained event and a large‑scale takeover.