CVE-2026-12276 PUBLISHED

LA-Studio Element Kit for Elementor < 1.6.1 - Unauthenticated Open Registration

Assigner: WPScan
Reserved: 15.06.2026 Published: 10.07.2026 Updated: 10.07.2026

The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has been disabled site-wide.

Product Status

Vendor Unknown
Product LA-Studio Element Kit for Elementor
Versions Default: unaffected
  • affected from 0 to 1.6.1 (excl.)

Credits

  • Mike Gozdiskowski finder
  • WPScan coordinator

References

Problem Types

  • CWE-863 Incorrect Authorization CWE