Cyber Resilience

CVE-2026-0920

Critical

Published: 22 January 2026

Published
22 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0108 60.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0920 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Deeper analysis

CVE-2026-0920 is a high-severity vulnerability in the LA-Studio Element Kit for Elementor plugin for WordPress, affecting all versions up to and including 1.5.6.3. It stems from the 'ajax_register_handle' function failing to restrict user roles during registration, enabling attackers to specify the 'lakit_bkrole' parameter and create accounts with elevated privileges. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. By submitting a crafted registration request with the 'lakit_bkrole' parameter set to an administrator role, they can gain full administrative access to the WordPress site, potentially leading to complete compromise including data exfiltration, site modification, and persistence.

Advisories and patches reference mitigation through updating the plugin beyond version 1.5.6.3. The WordPress plugin trac shows the vulnerable code in override.php at line 301 of tag 1.5.6.3, with a fix applied in changeset 3439121. Additional details are provided in Wordfence's threat intelligence report.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with.…

more

This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Direct unauthenticated exploitation of public-facing WordPress plugin for privilege escalation via unauthorized admin account creation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8809Shared CWE-269
CVE-2025-13559Shared CWE-269
CVE-2024-11951Shared CWE-269
CVE-2026-7467Shared CWE-269
CVE-2025-5954Shared CWE-269
CVE-2024-12281Shared CWE-269
CVE-2025-15403Shared CWE-269
CVE-2025-13538Shared CWE-269
CVE-2024-57602Shared CWE-269
CVE-2026-2631Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly manages account creation, enabling, modification, and privilege assignment to prevent unauthenticated attackers from registering administrator accounts with elevated roles.

prevent

Requires validation of user-supplied inputs such as the 'lakit_bkrole' parameter to ensure only authorized roles are permitted during registration, blocking privilege escalation exploits.

prevent

Limits actions performable without identification or authentication, explicitly prohibiting unauthenticated registration from assigning administrator privileges.

References