CVE-2026-24947 MEDIUM

CVE-2026-24947: WordPress LA-Studio Element Kit for Elementor plugin < 1.5.6.3 - Broken Access Control vulnerability

Vendor La-Studio
Product LA-Studio Element Kit for Elementor
Weakness CWE-862 · Missing authorization
Published February 3, 2026
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.

Explanation of Vulnerability in Simple Terms

02Summary

LA-Studio Element Kit for Elementor versions up to 1.5.6.3 lack proper authorization checks, allowing authenticated users to access sensitive information they should not be able to view. An attacker with a low-privilege account can read data intended for higher-privilege users. Update to a version newer than 1.5.6.3 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information accessible only to higher-privilege users.

Potential impact on your site

04Site Impact

User data and site information may be exposed to low-privilege account holders who should not have access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the WordPress site.

Key dates

06Disclosure timeline

February 3, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE