New WordPress Backdoor Vulnerability Creates Malicious Admins

A critical backdoor vulnerability has been identified within the LA-Studio Element Kit for Elementor, a widely adopted WordPress plugin currently active on over 20,000 sites.

This security flaw allows attackers to create administrator accounts without any authentication, putting thousands of websites at risk of complete takeover.

The vulnerability, tracked as CVE-2026-0920, carries a CVSS score of 9.8, marking it as a critical threat that requires immediate action from site administrators.

The backdoor was introduced by a former employee who left the company in late December 2025. According to LA-Studio, the developer modified the plugin code shortly before their employment ended, inserting hidden functionality that allows unauthorized administrator account creation.

This incident highlights the growing concern around insider threats and the importance of code review processes during employee transitions.

Security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham discovered the vulnerability on January 12, 2026, and reported it through the Wordfence Bug Bounty Program.

Wordfence analysts identified the flaw within the plugin’s user registration system, specifically in the ajax_register_handle function. The vulnerability was patched quickly, with version 1.6.0 released on January 14, 2026, just two days after the initial report.

The vulnerability exists in all versions up to and including 1.5.6.3 of the LA-Studio Element Kit for Elementor plugin. Attackers can exploit this flaw by sending a specially crafted registration request containing the lakit_bkrole parameter.

Once successful, they gain full administrative access to the targeted WordPress site, allowing them to upload malicious files, modify content, redirect visitors to harmful websites, or inject spam content.

Vulnerability Details:-

Wordfence researchers noted that the backdoor code was deliberately obfuscated to avoid detection during security reviews. This evasion technique made the malicious functionality harder to spot, allowing it to remain hidden within the plugin’s codebase.

The obfuscated code specifically targeted the user registration process, adding administrator capabilities to newly created accounts when the hidden parameter was present.

The Obfuscated Backdoor Mechanism

The backdoor operates through a carefully hidden modification within the plugin’s registration handling system.

When examining the code, Wordfence analysts found that the ajax_register_handle function contained obfuscated logic that checked for the presence of the lakit_bkrole parameter during user registration.

If this parameter was detected, the function would trigger additional filters that assigned administrator privileges to the newly created account.

The obfuscation included techniques like string manipulation and indirect function calls, making the malicious code blend seamlessly with legitimate plugin functionality.

This clever disguise allowed the backdoor to bypass standard security audits and remain undetected until researchers specifically investigated suspicious patterns in the registration workflow.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.