Home

Description

The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has been disabled site-wide.

PUBLISHED Reserved 2026-06-15 | Published 2026-07-10 | Updated 2026-07-10 | Assigner WPScan

Problem types

CWE-863 Incorrect Authorization

Product status

Default status
unaffected

Any version before 1.6.1
affected

Credits

Mike Gozdiskowski finder

WPScan coordinator

References

wpscan.com/...rability/0c77a001-2773-4727-a873-848f5670fb96/ exploit vdb-entry technical-description

cve.org (CVE-2026-12276)

nvd.nist.gov (CVE-2026-12276)

Download JSON