Critical severity9.8NVD Advisory· Published Jan 22, 2026· Updated Apr 15, 2026
CVE-2026-0920
CVE-2026-0920
Description
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.5.6.3
- Range: <=1.5.6.3
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.