CVE-2026-12276
Received Received - Intake

Unauthenticated User Registration in LA-Studio Element Kit for Elementor

Vulnerability report for CVE-2026-12276, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: WPScan

Description

The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has been disabled site-wide.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
la-studio element_kit_for_elementor to 1.6.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows attackers to create unauthorized user accounts on your WordPress site even if user registration is disabled.

Such unauthorized accounts could be used to gain access to restricted areas, perform malicious actions, or escalate privileges depending on the site's configuration.

It undermines the site's intended access controls and could lead to security breaches or misuse of site resources.

Executive Summary

The vulnerability CVE-2026-12276 affects the LA-Studio Element Kit for Elementor WordPress plugin versions prior to 1.6.1.

It allows unauthenticated attackers to register new user accounts on a WordPress site even when user registration is disabled site-wide.

This happens because the plugin does not check whether user registration is enabled before processing account creation through an unauthenticated AJAX action.

An attacker can exploit this by retrieving a nonce from a public page containing the plugin's registration form widget and then sending a crafted request to create an account.

This vulnerability is classified as an incorrect authorization issue (CWE-863) with a medium severity CVSS score of 5.3.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized user registration attempts through the plugin's unauthenticated AJAX actions. Specifically, an attacker exploits the vulnerability by retrieving a nonce from a public page containing the plugin's registration form widget and then sending a crafted request to create an account.

To detect exploitation attempts, you can look for unusual AJAX requests to the plugin's registration endpoints or unexpected user account creations when user registration is supposed to be disabled.

  • Use web server logs or network monitoring tools to identify POST requests to the plugin's AJAX registration URL.
  • Check WordPress user creation logs or database entries for new accounts created without legitimate registration.
  • Example command to search web server logs for suspicious AJAX registration requests (adjust path and plugin endpoint accordingly):

grep -i 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep 'action=element_kit_registration'

Replace 'element_kit_registration' with the actual AJAX action name used by the plugin if known.

Mitigation Strategies

The immediate mitigation step is to update the LA-Studio Element Kit for Elementor plugin to version 1.6.1 or later, where this vulnerability has been fixed.

Until the update can be applied, consider disabling or restricting access to the plugin's registration AJAX actions to prevent unauthenticated account creation.

Additionally, review and monitor user registrations to identify and remove any unauthorized accounts created through this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart