CVE-2026-0920 is a critical security vulnerability identified in the LA-Studio Element Kit for Elementor, a popular WordPress plugin used to enhance website design and functionality. The vulnerability stems from improper privilege management (CWE-269) in the plugin's 'ajax_register_handle' function, which handles user registration requests. Specifically, the function does not properly restrict the 'lakit_bkrole' parameter, allowing unauthenticated attackers to specify arbitrary user roles during registration. This flaw enables attackers to create new administrative users without any authentication or user interaction, effectively granting them full control over the affected WordPress site. The vulnerability affects all versions of the plugin up to and including 1.5.6.3. The CVSS v3.1 base score is 9.8, reflecting the critical nature of this vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Exploitation can lead to complete site takeover, data theft, defacement, or deployment of malicious payloads. As of the published date, no official patches or updates have been released, and no exploits have been observed in the wild. The vulnerability was reserved and published by Wordfence, a reputable security entity, indicating credible discovery and reporting. Given the widespread use of WordPress and Elementor, this vulnerability poses a significant risk to many websites globally.

The impact of CVE-2026-0920 is severe and far-reaching. Successful exploitation allows attackers to create administrative accounts on vulnerable WordPress sites, granting them unrestricted access to site content, user data, and backend configurations. This can lead to data breaches, website defacement, insertion of malicious code such as backdoors or ransomware, and disruption of website availability. Organizations relying on the LA-Studio Element Kit for Elementor risk losing customer trust, suffering reputational damage, and incurring financial losses due to downtime and remediation costs. The vulnerability's ease of exploitation—requiring no authentication or user interaction—means attacks can be automated and widespread. Additionally, compromised sites can be leveraged as launchpads for further attacks, including phishing campaigns or distribution of malware. The lack of available patches increases the window of exposure, heightening the urgency for mitigation. This threat is particularly critical for e-commerce, media, and enterprise websites that depend on WordPress for their online presence.

Given the absence of official patches, organizations should implement immediate compensating controls. First, restrict access to the 'ajax_register_handle' endpoint by implementing web application firewall (WAF) rules that block or monitor requests containing the 'lakit_bkrole' parameter or suspicious registration attempts. Disable or remove the LA-Studio Element Kit for Elementor plugin if it is not essential. If the plugin is necessary, isolate affected WordPress instances behind strict access controls and monitor logs for unusual user creation activities. Employ multi-factor authentication (MFA) for all administrative accounts to reduce the risk of unauthorized access. Regularly audit user accounts to detect and remove unauthorized administrators. Keep WordPress core and other plugins updated to minimize attack surface. Engage in proactive threat hunting and incident response readiness to quickly identify and remediate any exploitation attempts. Finally, maintain offline backups of website data to enable recovery in case of compromise.