Former Employee Leaves Backdoor In WordPress Plugin With Over 20,000 Active Installs

On January 12th, 2026, the Wordfence threat intelligence team received a submission for a Backdoor vulnerability in the LA-Studio Element Kit for Elementor, a WordPress plugin with more than 20,000+ active installations. This vulnerability makes it possible for an unauthenticated attacker to create malicious administrator users.

Researchers Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777) and Waris Damkham discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. These researchers earned a bounty of $975.00 for this discovery.

The vendor informed us, in response to our inquiry, that a former employee added the backdoor code to the plugin.

The developer’s employment with the company ended at the end of December (and the last change to the backdoor was made that time, so it is likely that the employee modified the backdoor code shortly before their employment was terminated).

Wordfence provided full disclosure details to the LA-Studio team instantly through our Wordfence Vulnerability Management Portal on January 13, 2026. The vendor acknowledged the report and released the patch on January 14, 2026. We would like to commend the LA-Studio team for their prompt response and timely patch.

This serves as an important reminder about insider threats, and ensuring proper controls and checks are in place for employee terminations and regular monitoring of team member activities.

We urge users to update their sites with the latest patched version of LA-Studio Element Kit for Elementor, version 1.6.0 at the time of this publication, as soon as possible.

Read The Full Post