CVE-2026-0920
Published: 22 January 2026
Summary
CVE-2026-0920 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly manages account creation, enabling, modification, and privilege assignment to prevent unauthenticated attackers from registering administrator accounts with elevated roles.
Requires validation of user-supplied inputs such as the 'lakit_bkrole' parameter to ensure only authorized roles are permitted during registration, blocking privilege escalation exploits.
Limits actions performable without identification or authentication, explicitly prohibiting unauthenticated registration from assigning administrator privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing WordPress plugin for privilege escalation via unauthorized admin account creation.
NVD Description
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with.…
more
This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.
Deeper analysisAI
CVE-2026-0920 is a high-severity vulnerability in the LA-Studio Element Kit for Elementor plugin for WordPress, affecting all versions up to and including 1.5.6.3. It stems from the 'ajax_register_handle' function failing to restrict user roles during registration, enabling attackers to specify the 'lakit_bkrole' parameter and create accounts with elevated privileges. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. By submitting a crafted registration request with the 'lakit_bkrole' parameter set to an administrator role, they can gain full administrative access to the WordPress site, potentially leading to complete compromise including data exfiltration, site modification, and persistence.
Advisories and patches reference mitigation through updating the plugin beyond version 1.5.6.3. The WordPress plugin trac shows the vulnerable code in override.php at line 301 of tag 1.5.6.3, with a fix applied in changeset 3439121. Additional details are provided in Wordfence's threat intelligence report.
Details
- CWE(s)