Sabotage & Exploited in the Wild: Critical Backdoor Found in LA-Studio Element Kit
Ddos 
A critical security incident has rocked the WordPress community after a “backdoor” vulnerability was discovered in the LA-Studio Element Kit for Elementor, a plugin active on over 20,000 websites. The flaw, tracked as CVE-2026-0920, carries a maximum CVSS severity score of 9.8, allowing unauthenticated attackers to instantly create administrator accounts and seize full control of affected sites.
But unlike typical bugs born from coding errors, this vulnerability appears to be an act of sabotage.
Following the discovery, the plugin’s vendor made a startling admission: the malicious code was planted by a former staff member.
“The vendor informed us, in response to our inquiry, that a former employee added the backdoor code to the plugin,” the Wordfence report reveals. The timing was precise; the developer’s employment ended in late December, and “the last change to the backdoor was made that time,” suggesting the code was modified shortly before their departure.
The backdoor was hidden inside the plugin’s user registration handling. Technical analysis shows that the ajax_register_handle() function contained “obfuscated code that adds an administrator capability to the new user”.
Attackers could trigger this by simply sending a registration request containing the specific parameter lakit_bkrole. The code was deliberately disguised to avoid notice. “What made this particularly interesting is that the functionality was visibly obfuscated, which appeared to be an attempt to evade detection,” the researchers noted.
The consequences of this breach are severe. “Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would”. This includes uploading malicious files, injecting spam, or redirecting visitors to dangerous websites.
Attacks are already being detected in the wild. Wordfence blocked 216 attacks targeting this vulnerability in the past 24 hours alone.
Upon being notified by Wordfence on January 13, 2026, the LA-Studio team acted quickly, releasing a patch the very next day.
Users are urged to update to version 1.6.0 immediately to remove the backdoor. The incident stands as a stark warning to tech companies: “This serves as an important reminder about insider threats, and ensuring proper controls and checks are in place for employee terminations”.
Related Posts:
- NuGet Sabotage: Time-Delayed Logic in 9 Packages Risks Total App Destruction on Hardcoded Dates
- Ex-Programmer Davis Lu Jailed for Triggering Malicious “Kill Switch” at Eaton
- Critical ASUSTOR Flaw (CVE-2025-13051) Allows Local DLL Hijacking for SYSTEM Privilege Escalation
- Fusion of Power: Trump Media Inks $6 Billion Merger to Build World’s First Fusion Power Plant
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
