Choijun La-Studio Element Kit For Elementor vulnerabilities
11 known vulnerabilities affecting choijun/la-studio_element_kit_for_elementor.
Total CVEs
11
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH2MEDIUM8
Vulnerabilities
Page 1 of 1
CVE-2026-0920P1CRITICALCVSS 9.8ExploitedPoC≤ 1.5.6.32026-01-22
CVE-2026-0920 [CRITICAL] CWE-269 CVE-2026-0920: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Cr
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parame
nvd
CVE-2024-10873P3HIGHCVSS 8.8≤ 1.4.22024-11-23
CVE-2024-10873 [HIGH] CWE-98 CVE-2024-10873: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion i
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the _load_template function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any P
nvd
CVE-2024-5349P3HIGHCVSS 8.8≤ 1.3.8.12024-07-02
CVE-2024-5349 [HIGH] CWE-22 CVE-2024-5349: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion i
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.8.1 via the 'map_style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP
nvd
CVE-2024-4431P4MEDIUMCVSS 6.4≤ 1.3.7.62024-05-23
CVE-2024-4431 [MEDIUM] CWE-79 CVE-2024-4431: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web sc
nvd
CVE-2025-8360P4MEDIUMCVSS 6.4≤ 1.5.5.12025-09-06
CVE-2025-8360 [MEDIUM] CWE-79 CVE-2025-8360: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets in all versions up to, and including, 1.5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level acc
nvd
CVE-2025-3106P4MEDIUMCVSS 6.4≤ 1.4.92025-04-18
CVE-2025-3106 [MEDIUM] CWE-79 CVE-2025-3106: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Table of Contents widget in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level
nvd
CVE-2024-3005P4MEDIUMCVSS 6.4≤ 1.3.7.52024-05-02
CVE-2024-3005 [MEDIUM] CWE-79 CVE-2024-3005: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's LaStudioKit Post Author widget in all versions up to, and including, 1.3.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contribut
nvd
CVE-2025-4944P4MEDIUMCVSS 6.4≤ 1.5.22025-05-30
CVE-2025-4944 [MEDIUM] CWE-79 CVE-2025-4944: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Compare and Google Maps widgets in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with cont
nvd
CVE-2025-4943P4MEDIUMCVSS 5.4≤ 1.5.22025-05-30
CVE-2025-4943 [MEDIUM] CWE-79 CVE-2025-4943: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-lakit-element-link’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inje
nvd
CVE-2024-2249P4MEDIUMCVSS 5.4≤ 1.3.7.42024-03-14
CVE-2024-2249 [MEDIUM] CWE-79 CVE-2024-2249: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets in all versions up to, and including, 1.3.7.4 due to insufficient input sanitization and output escaping the user supplied attribute. This makes it possible for authenticated attackers with con
nvd
CVE-2024-10787P4MEDIUMCVSS 4.3≤ 1.4.42024-12-04
CVE-2024-10787 [MEDIUM] CWE-639 CVE-2024-10787: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure i
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract
nvd