Critical Backdoor in LA-Studio Element Kit for Elementor Exposes 20,000+ WordPress Sites A severe backdoor vulnerability (CVE-2026-0920, CVSS 9.8) in the LA-Studio Element Kit for Elementor plugin has left over 20,000 WordPress installations vulnerable to unauthenticated attacks. The flaw allows attackers to create administrator accounts and fully compromise affected sites by exploiting the `lakit_bkrole` parameter during user registration, bypassing role restrictions. The malicious code, deliberately obfuscated, was traced to a former LA-Studio employee who injected it before departing in December 2025. The vulnerability resides in the `ajax_register_handle` function within the `LA-Studio_Kit_Integration` class, enabling attackers to upload malicious files, alter content, inject spam, or redirect visitors to phishing sites all without authentication. Security firm Wordfence discovered the flaw on January 12, 2026, validating the exploit within 24 hours. LA-Studio responded swiftly, releasing a patched version (1.6.0) on January 14, 2026. Researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham earned a $975 bounty for the responsible disclosure. Protection measures were rolled out in phases: Wordfence Premium, Care, and Response users received firewall rules on January 13, 2026, while free users will gain access on February 12, 2026. The incident highlights risks posed by insider threats and underscores the need for stricter code audits, developer monitoring, and offboarding protocols in plugin development. Site administrators are advised to update immediately to version 1.6.0 to mitigate the threat.