A critical vulnerability has been identified in the LA-Studio Element Kit for Elementor WordPress plugin. This flaw allows any unauthenticated user on the internet to instantly create a new user account with full administrator privileges. Successful exploitation results in a complete compromise of the affected website, granting the attacker total control over its content, user data, and underlying server functions.

The vulnerability exists within the user registration functionality of the plugin, specifically in the ajax_register_handle function. This function fails to properly validate or restrict the user role that can be assigned during the creation of a new account. An unauthenticated attacker can exploit this by submitting a standard registration request while including a specific parameter, lakit_bkrole, with its value set to 'administrator'. The plugin processes this parameter without authorization checks, resulting in the creation of a new user with the highest possible privileges on the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit grants an attacker complete administrative control over the website, leading to severe business consequences. These include, but are not limited to, theft of sensitive company and customer data, website defacement causing reputational damage, deployment of malware or ransomware, and using the compromised server to launch further attacks against other systems. The potential for data breaches can also result in significant regulatory fines and loss of customer trust.

Immediate Action: Update the LA-Studio Element Kit for Elementor plugin to the latest available version (newer than 1.5.6.3). After patching, conduct an immediate audit of all user accounts within WordPress, paying special attention to administrator roles, to identify and remove any unauthorized accounts. Review server access logs for indicators of compromise related to this vulnerability.

Proactive Monitoring: Monitor web server access logs for incoming HTTP POST requests to the user registration endpoint that contain the parameter lakit_bkrole. Configure alerts for the creation of new user accounts with administrative privileges. Regularly audit the WordPress user list to ensure all accounts are legitimate and have appropriate permissions.

Compensating Controls: If immediate patching is not feasible, the following measures can reduce risk:

• Implement a Web Application Firewall (WAF) rule to inspect and block any registration requests containing the lakit_bkrole parameter.
• Completely disable the user registration feature on the website if it is not essential for business operations.
• Restrict access to the registration page to only trusted IP addresses.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the direct path to full system compromise by an unauthenticated attacker, this vulnerability requires immediate attention. We strongly recommend that all organizations using the affected plugin apply the vendor-supplied patch as the highest priority. Although this CVE is not currently on the CISA KEV list, its severity and ease of exploitation make it a significant threat. A comprehensive audit of all administrative accounts must be performed post-remediation to ensure no prior compromise has occurred.