20,000 WordPress Sites at Risk From Plugin Admin Backdoor | eSecurity Planet

20,000 WordPress Sites at Risk From Plugin Admin Backdoor

A backdoor bug in a WordPress plugin with 20,000+ installs lets attackers create admin accounts without logging in.

Written By
Ken Underhill
Ken Underhill
Jan 26, 2026
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A WordPress plugin flaw puts thousands of websites one step away from full compromise by letting attackers create administrator accounts without logging in. 

The issue affects the LA-Studio Element Kit for Elementor plugin that has 20,000+ active installs, and it enables unauthenticated admin user creation through a hidden backdoor.

“Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would,” said Wordfence in its advisory.

How CVE-2026-0920 Works

The vulnerability, tracked as CVE-2026-0920, has been assigned a CVSS score of 9.8.

Researchers traced the flaw to the plugin’s user registration workflow, specifically within the ajax_register_handle function. 

There, they found obfuscated backdoor logic designed to look like normal registration code while secretly checking for a hidden request parameter: lakit_bkrole.

If an attacker submits a specially crafted registration request containing that parameter, the plugin quietly triggers additional filters that assign administrator privileges to the newly created account. 

In practical terms, this transforms a routine “create user” action into an unauthenticated privilege escalation path, allowing the attacker to gain full control of the WordPress dashboard without needing valid credentials.

With administrator access, an attacker can move quickly from account creation to full compromise. 

Follow-on actions for threat actors can include installing malicious plugins or web shells, modifying site content to deliver malware, redirecting visitors to phishing pages, and injecting SEO spam designed to monetize traffic or manipulate search rankings. 

Attackers can also establish long-term persistence by creating additional admin accounts, scheduling automated tasks, or making configuration changes.

Wordfence noted the backdoor was deliberately hidden through obfuscation techniques such as string manipulation and indirect function calls. 

This approach makes malicious behavior more difficult to spot during routine reviews and allows it to blend into legitimate registration handling.

LA-Studio has released a patch for the vulnerability and Wordfence has released a firewall rule on their end to help protect against exploitation.

Security Controls to Reduce Blast Radius

If your organization runs WordPress, it’s worth addressing this vulnerability quickly and methodically. 

Because the issue can allow unauthorized administrator account creation, remediation should include more than just applying the update. 

  • Patch immediately by upgrading LA-Studio Element Kit for Elementor to version 1.6.0 or later.
  • Audit WordPress users for unauthorized administrator accounts and remove any suspicious or unexpected admins.
  • Inspect for persistence by reviewing recent plugin/theme installs, file changes (wp-config.php, .htaccess), cron jobs, and uploads in wp-content.
  • Rotate credentials, enforce MFA, and reduce privileged access using least privilege and limited admin accounts.
  • Restrict access to wp-admin and wp-login.php using IP allowlisting, VPN access, or additional authentication controls.
  • Enable centralized logging and monitoring to detect abnormal registration requests, admin role changes, and unusual outbound traffic.
  • Validate backups and regularly test incident response plans, including restore and rollback procedures for WordPress compromises.

These steps combine patching, account review, and basic integrity checks to confirm the site hasn’t been altered. 

Advertisement

Plugin Security Is Site Security

For organizations that rely on WordPress and third-party plugins, CVE-2026-0920 is a reminder that a single compromised component can quickly become a full-site security issue.

Treat plugin updates as part of your overall security posture, not routine maintenance, and validate changes before and after deployment.  

Vulnerabilities like this are a reminder why organizations are adopting zero-trust approaches to limit blast radius when any component is compromised.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.