ON 23 January 2026, a critical WordPress backdoor was disclosed in the LA-Studio Element Kit for Elementor, a plugin active on over 20,000 websites. The flaw, tracked as CVE-2026-0920, carries a maximum CVSS score of 9.8 and allows unauthenticated attackers to instantly create administrator accounts and seize full control of affected sites.
According to Wordfence report, the malicious code was planted by a former staff member, with the last change to the backdoor made shortly before the developer’s departure in late December. The backdoor resides in the plugin’s user registration handling, with an obfuscated ajax_register_handle() function that adds an administrator capability to new users when a registration request contains the parameter lakit_bkrole.
Wordfence also notes that attacks are already being detected in the wild, with 216 attacks blocked in the past 24 hours. The LA-Studio team released a patch on 14 January 2026, and users are urged to update to version 1.6.0 to remove the backdoor, highlighting insider threat risks and the need for robust controls during employee terminations.