Critical Backdoor in LA‑Studio Element Kit for Elementor (CVE‑2026‑0920)

Actualizado: 21 de enero de 2026

CVE: CVE‑2026‑0920 — Las versiones del plugin <= 1.5.6.3 son vulnerables; corregido en 1.6.0. Severidad: CVSS 9.8 (Alto). Vector de ataque: No autenticado. Clasificación: Puerta trasera / Escalación de privilegios.

Por qué esto es tan urgente

As a Hong Kong security practitioner who frequently advises local businesses and government-facing sites, I stress that backdoors are among the highest-risk issues. This case is particularly serious because:

• It is exploitable without authentication — any remote actor can trigger it.
• It enables creation of administrative accounts, giving full control of affected sites.
• The backdoor was embedded in plugin code and bypasses normal permission checks.
• Impact spans confidentiality, integrity and availability — CVSS reflects this with a high score.

Following public disclosure, attackers typically scan for exposed plugin instances. Fast, decisive action reduces the chance of mass compromise.

Lo que sabemos sobre la vulnerabilidad (resumen)

• Affected software: LA‑Studio Element Kit for Elementor (WordPress plugin)
• Vulnerable versions: any release at or below 1.5.6.3
• Fixed in: 1.6.0
• Vulnerability type: backdoor leading to unauthenticated privilege escalation (administrative user creation)
• Vector: The plugin exposes an undocumented entry point that accepts a special parameter (identified in public reporting as lakit_bkrole), which can trigger creation of a user with administrative capabilities.
• Discovery: Reported by security researchers and publicly disclosed on 21 Jan 2026.
• CVE: CVE‑2026‑0920
• CVSS v3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Note: this write-up avoids reproducing exploit payloads. The goal is to help defenders detect, mitigate and recover.

Cómo funciona el ataque (a alto nivel — enfocado en el defensor)

Researchers identified a code path that accepts remote input and, when invoked, creates or modifies user role assignments. The parameter referenced is lakit_bkrole — likely intended for internal use but left exposed and insufficiently checked.

A remote attacker can craft an HTTP request containing this parameter to cause the plugin to create a new user with administrative rights. Because the entry point lacks authentication checks in affected versions, the attacker obtains full administrative access without any prior credentials.

Las consecuencias incluyen:

• Full WP Admin access and ability to modify files via themes/plugins.
• Installation of persistent backdoors, cron jobs and malware.
• Potential data exfiltration (database, user data, credentials).
• Hijacking of e‑mail, payment, affiliate or other business workflows.

Escenarios de ataque reales

• Mass compromise: automated scanning and rapid admin-user creation across many sites.
• Targeted takeover: attackers target high-value sites and pivot within an organisation.
• Supply-chain abuse: stolen credentials or API keys used beyond the site itself.

¿Soy vulnerable? Comprobaciones inmediatas

Perform these defensive checks immediately:

1. Versión del plugin

   Check WordPress Admin → Plugins for “LA‑Studio Element Kit for Elementor”. Confirm version. Or use WP‑CLI:

   wp plugin list --format=table | grep lastudio-element-kit

   If version <= 1.5.6.3, you are vulnerable.

2. Nuevas cuentas de administrador o inesperadas

   Inspect All Users for unfamiliar admin accounts. WP‑CLI:

   wp user list --role=administrator --fields=ID,user_login,user_email,display_name,registered

   Look for recently created accounts (on or after disclosure).

3. Usuarios y roles sospechosos

   Check for non‑standard roles or unexpected capabilities. Dump roles:

   wp eval 'print_r(get_editable_roles());'

4. Modificaciones de archivos y archivos sospechosos

   Search for recently modified PHP files and unexpected files in uploads or plugin directories:

   find /path/to/wp-content -type f -mtime -30 -name '*.php' -ls

   Search the plugin folder for references to the indicator string:

   grep -R --line-number "lakit_bkrole" wp-content/plugins/lastudio-element-kit

5. Registros y patrones de acceso

   Inspect webserver logs for unusual POST/GET requests to plugin endpoints, especially those with the lakit_bkrole parámetro.

6. Verificación de la base de datos

   Query recent user creations:

   SELECT ID,user_login,user_email,user_registered FROM wp_users WHERE user_registered > '2026-01-01' ORDER BY user_registered DESC;

If any of the above indicate suspicious activity, treat the site as potentially compromised and proceed to containment and investigation.

Pasos de mitigación inmediatos (primeros 60 minutos)

If you confirm the plugin is installed or cannot verify quickly, take these actions now:

1. Actualiza — Upgrade the plugin to 1.6.0 or later immediately. This is the definitive fix.
2. If update is not possible immediately:
   • Deactivate the plugin: WP Admin → Plugins → Deactivate, or
   • WP‑CLI: wp plugin deactivate lastudio-element-kit
   • If deactivation fails, remove or rename the plugin folder (rename to preserve files for investigation): mv wp-content/plugins/lastudio-element-kit wp-content/plugins/lastudio-element-kit.bak
3. Virtual patching / WAF rule — If you operate a WAF or host-level filtering, create a rule to block requests that include the lakit_bkrole parameter or requests to the plugin path that attempt role changes. This provides temporary protection while you update and investigate.
4. Cierra el acceso — Temporarily restrict admin access by IP where feasible (server controls, .htaccess, hosting panel) and block suspicious IP ranges observed in logs.
5. Rota las credenciales — Change administrative passwords (WP Admin, hosting control panel, database, FTP/SSH) and revoke API keys/tokens that may have been exposed.
6. Verifica la persistencia — Search for backdoors in uploads, mu‑plugins, and plugin/theme folders; check wp-config.php and scheduled tasks for unexpected entries.
7. Toma una instantánea y preserva — Take a full backup (files + DB) and preserve logs for forensic analysis before making further changes.

Cómo limpiar y recuperar (si se confirma la compromisión)

1. Aislar y preservar

   Take the site offline or enable maintenance mode. Preserve logs, backups and copies of suspicious files for investigators.

2. Identifica el alcance

   Inventory malicious artifacts, newly added admin accounts and timeline of events. Determine data exposure.

3. Elimina puertas traseras

   Replace modified core, plugin and theme files with clean copies from official sources. Remove suspicious files from uploads, mu‑plugins and writable directories.

4. Limpie la base de datos

   Remove unauthorized administrator accounts and suspicious user meta. Inspect wp_options for malicious autoloaded entries and cron hooks.

5. Endurecer y restaurar

   Reinstall the fixed plugin version (1.6.0 or later). Reset all passwords and rotate credentials. Ensure WordPress core, themes and all plugins are up to date.

6. Monitoreo posterior a la recuperación

   Enable enhanced logging and integrity monitoring, and monitor outbound connections from the server for unusual activity.

Detection & Indicators of Compromise (IoCs)

• Cuentas de administrador recién creadas correlacionadas alrededor del 21 de enero de 2026 en adelante.
• HTTP requests to plugin endpoints with parameters like lakit_bkrole.
• Archivos PHP inesperados en:
  • wp-content/uploads/
  • wp-content/plugins/lastudio-element-kit/
  • wp-content/mu-plugins/
• Abnormal scheduled events (wp‑cron) or persistent mu‑plugins.
• Unexpected autoloaded options in wp_options.
• Outbound network connections to unusual IPs or domains from the web server.

Immediate protective actions (non‑vendor specific)

If you run managed security or WAF services, ensure they are configured to detect and block requests targeting the plugin path and parameter indicators. For self‑managed environments, apply conservative rules that block or alert on requests that contain the suspicious parameter and target the plugin path. Tune rules to reduce false positives and monitor alerts closely during the patch window.

Guía de WAF / Parches virtuales (técnico)

For administrators managing WAFs directly, consider these defensive measures (keep rules conservative to avoid disrupting legitimate admin traffic):

• Block or rate‑limit requests to the plugin path (e.g., /wp-content/plugins/lastudio-element-kit/) that include the parameter name lakit_bkrole.
• Alert on any request to the plugin path that results in backend changes (e.g., a 200 response followed by a newly created admin account).
• Limit allowed methods and acceptable content types for plugin endpoints where possible.

Example conceptual pseudo-rule (defensive): If request path contains /wp-content/plugins/lastudio-element-kit/ AND request parameters include lakit_bkrole THEN block and log.

Recomendaciones de endurecimiento (más allá de los parches)

• Principle of least privilege — only grant admin role when strictly necessary.
• Enforce multi‑factor authentication for all admin accounts.
• Daily off‑site backups with versioning and restore tests.
• File integrity monitoring and alerting on unexpected changes to critical files.
• Ensure TLS is up to date and apply appropriate security headers where feasible.
• Disable theme and plugin file editing via wp-config.php:

  define('DISALLOW_FILE_EDIT', true);

• Restrict admin area access via server controls or network-level restrictions when possible.
• Maintain vulnerability monitoring and test updates in staging before production rollout.

Manual de respuesta a incidentes (conciso)

1. Detect: Identify suspicious activity via logs, alerts or integrity checks.
2. Contain: Deactivate the vulnerable plugin and block attack traffic.
3. Analyze: Preserve logs and backups; scan for artifacts.
4. Eradicate: Remove malicious files and accounts; patch the vulnerability.
5. Recover: Restore clean systems, rotate credentials and verify operations.
6. Post‑incident: Conduct root cause analysis, adjust controls, and document lessons learned.

Preguntas frecuentes

P: Actualicé el complemento — ¿todavía necesito escanear mi sitio?

A: Yes. Updating prevents future exploitation but does not remove backdoors or accounts created prior to the update. Scan and audit for persistence.

P: ¿Puedo confiar únicamente en un WAF en lugar de actualizar?

A: A WAF can provide important immediate protection, but it is not a substitute for applying the official patch. Combine virtual patching with prompt updates and verification.

P: ¿Qué pasa si encuentro una cuenta de administrador sospechosa — ¿debo eliminarla?

A: Preserve evidence first (export user details and relevant logs). Then disable the account (change password, terminate sessions) and, if confirmed malicious, delete it. Rotate other credentials as part of recovery.

P: ¿Cómo puedo verificar si hay puertas traseras ocultas que no puedo encontrar?

A: Use multiple defensive scanners, compare files with known-good plugin/theme packages, and review scheduled tasks and database hooks. If unsure, engage a forensic specialist.

Timeline (recommended immediate actions)

• 0–15 minutes: Confirm plugin version. If vulnerable, deactivate or apply blocking rules. Change critical passwords.
• 15–60 minutes: Scan for new admins and suspicious files. Snapshot server and preserve logs.
• 1–24 hours: Update plugin to 1.6.0 or remove plugin if you cannot trust it. Clean discovered persistence.
• 24–72 hours: Continue monitoring, harden systems and rotate credentials.
• Ongoing: Maintain vulnerability scanning, monitoring and regular backups.

Por qué el parcheo virtual y el WAF son importantes para incidentes como este

Backdoors are often exploited within hours of public disclosure. Virtual patching (blocking exploit attempts at the web/application layer) can buy crucial time to patch, investigate and remediate. It is a temporary protective measure, not a replacement for updating vulnerable code.

Ejemplo de comandos y verificaciones seguras (solo defensivas)

# List installed plugin & version
wp plugin list --format=csv | grep lastudio-element-kit

# Deactivate plugin
wp plugin deactivate lastudio-element-kit

# List administrators
wp user list --role=administrator --format=csv

# Search plugin folder for suspicious tokens (defensive)
grep -R --line-number "lakit_bkrole" wp-content/plugins/lastudio-element-kit || true

# Find recently modified PHP files
find wp-content -type f -name '*.php' -mtime -30 -ls

Final notes for site owners and managers (Hong Kong perspective)

Treat this disclosure as an emergency if your environment hosts the vulnerable plugin. Apply the official update (1.6.0) as the primary remediation, and follow rapid detection, containment and recovery steps if you cannot update immediately. For organisations in Hong Kong, consider notifying stakeholders and preserving forensic evidence if customer or sensitive data may have been affected.

Closing — seeking professional assistance

If investigation or recovery exceeds internal capabilities, engage a professional incident response provider with WordPress forensic experience. Rapid, evidence‑based action is the difference between contained incidents and widespread compromise.

— Un experto en seguridad de Hong Kong