Critical Backdoor in LA-Studio Element Kit for Elementor Exposes 20,000+ WordPress Sites A severe backdoor vulnerability (CVE-2026-0920) has been discovered in the LA-Studio Element Kit for Elementor, a WordPress plugin with over 20,000 active installations. The flaw, rated 9.8 on the CVSS scale, allows unauthenticated attackers to create administrator accounts, enabling full site takeovers. The backdoor was introduced by a former LA-Studio employee who modified the plugin’s code before departing in late December 2025. The malicious functionality, hidden within the plugin’s user registration system, remained undetected until security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham identified it on January 12, 2026, via the Wordfence Bug Bounty Program. Exploitation occurs via a specially crafted registration request containing the `lakit_bkrole` parameter, granting attackers administrative privileges. Once exploited, they can upload malicious files, alter content, redirect visitors, or inject spam. The vulnerability affects all versions up to and including 1.5.6.3, with a patch (version 1.6.0) released on January 14, 2026. Wordfence analysts noted the backdoor was deliberately obfuscated using string manipulation and indirect function calls, making it difficult to detect during standard security reviews. The flaw specifically targeted the `ajax_register_handle` function, bypassing normal registration checks when the hidden parameter was present. Wordfence provided protection for Premium users on January 13, 2026, with free users receiving coverage on February 12, 2026. The incident underscores the risks of insider threats and the need for rigorous code review during employee transitions.