CVE-2026-0920

🚨 CRITICAL

Published

Jan 22, 2026

Last Modified

Jan 26, 2026

Views

Bookmarks

Description

Request Expert Review

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.

CVSS Scores

CVSS 3.1 9.8

9.8

CRITICAL

CVSS 2.0 9.8

References

plugins.trac.wordpress.org plugins.trac.wordpress.org www.wordfence.com

Additional Information

Source: security@wordfence.com
State: Awaiting analysis

Related CVEs

CVE-2026-26079

MEDIUM

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

Score: 4.7

CVE-2026-1893

MEDIUM

The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_label' parameter in the 'orbisius_ra...

Score: 6.4

CVE-2026-1231

MEDIUM

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global...

Score: 6.4

CVE-2025-15524

MEDIUM

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_...

Score: 4.3

CVE-2025-14541

HIGH

The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_...

Score: 7.2

CVE-2025-13431

MEDIUM

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5...

Score: 6.5

Share CVE-2026-0920

Share on Social Media

Copy Link

Embed Code

HTML Embed (for websites/blogs)

Markdown (for GitHub/Discord)

Request Expert Analysis

Request a professional security analysis for CVE-2026-0920 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Priority Level

SLA Acceleration (50% faster delivery)

Add 3 credits for accelerated delivery

Additional Context (Optional)

Base Cost: 8 credits

Priority Upgrade: + credits

SLA Acceleration: +3 credits

Total Cost:

Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

CVE-2026-0920

Description

CVSS Scores

References

Additional Information

Related CVEs

CVE-2026-26079

CVE-2026-1893

CVE-2026-1231

CVE-2025-15524

CVE-2025-14541

CVE-2025-13431

Share CVE-2026-0920

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Credits System

Insufficient Credits

Report Analysis