cleantalk
Vulnerabilities and Security Researches

LA-Studio Element Kit for Elementor, CVE-2026-0920

CVE, Research URL

CVE-2026-0920

Home page URL

Security reports for LA-Studio Element Kit for Elementor

Application

LA-Studio Element Kit for Elementor

Published on
Jan 22, 2026
Research Description
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.
Affected versions
max 1.6.0.
Status
vulnerable
Previous vulnerability researches
Modular DS: Manage all your websites from a single dashboard (CVE-2026-3903) , Apr 14, 2026
Modular DS: Manage all your websites from a single dashboard (CVE-2026-23550) , Jan 27, 2026
Modular DS: Manage all your websites from a single dashboard (CVE-2026-23800) , Jan 27, 2026
New vulnerability
Nexter Extension (CVE-2026-0726) , Apr 15, 2026
CallbackKiller service widget (CVE-2026-1944) , Apr 15, 2026
Robin image optimizer — save money on image compression (CVE-2026-1319) , Apr 15, 2026
Advanced Woo Labels – Product Labels for WooCommerce (CVE-2026-1929) , Apr 15, 2026
Newsletter – Send awesome emails from WordPress (CVE-2026-1051) , Apr 15, 2026