A serious security vulnerability has been discovered in the Ally plugin for WordPress. The flaw could allow attackers to steal sensitive data from websites without authentication. The issue has been tracked as CVE-2026-2413 and has received a high severity score. The vulnerability was discovered by security researcher Drew Webber, also known as mcdruid, who works as an offensive security engineer at Acquia.
The Ally plugin is developed by Elementor and is designed to improve accessibility and usability on websites built using Elementor. According to WordPress data, the plugin has more than 400,000 active installations.
The vulnerability affects all versions of the Ally plugin up to version 4.0.3. Researchers say attackers can exploit the flaw by injecting malicious SQL queries through a specially crafted URL. Since the attack does not require authentication, hackers can target websites without needing to log in.
SQL injection is one of the oldest and most common security vulnerabilities in web applications. It happens when user input is inserted directly into a database query without proper validation or sanitization. This allows attackers to manipulate database queries and access or modify stored data.
In the case of CVE-2026-2413, the problem occurs due to improper handling of a user-supplied URL parameter in the plugin’s code.
Security researchers from Wordfence explained that the issue is caused by insufficient escaping of a URL parameter in a function called get_global_remediations().
Although the plugin uses the esc_url_raw() function to clean the URL, that method only ensures the URL format is valid. It does not block SQL-related characters such as quotes or parentheses. Because of this, attackers can insert SQL commands into database queries to extract sensitive information using time-based blind SQL injection techniques.
The vulnerability can only be exploited if the Ally plugin is connected to an Elementor account and the Remediation module is enabled. Even with this requirement, security experts say the risk remains significant because many websites use the plugin in this configuration.
According to WordPress.org data, only about 36 percent of websites using the plugin have updated to the latest version. This means more than 250,000 websites may still be vulnerable.
Elementor has already fixed the vulnerability in Ally version 4.1.0, which was released on February 23. The flaw was responsibly disclosed to the company on February 13 after being verified by Wordfence.
The researcher who discovered the issue received an $800 bug bounty for reporting the vulnerability.
Despite the availability of a patch, many websites have not yet upgraded. This delay in updates is a common problem in the WordPress ecosystem, where site owners often postpone plugin upgrades due to compatibility concerns or simple oversight. However, security experts warn that leaving vulnerable plugins unpatched can expose websites to automated attacks.
At the same time, WordPress 6.9.2 has also been released to address multiple vulnerabilities in the platform itself. The update fixes ten security issues, including cross-site scripting (XSS), authorization bypass, and server-side request forgery (SSRF) vulnerabilities. Developers recommend that website owners install the update immediately.
SQL injection has been known for decades and is relatively easy to prevent with proper coding practices, yet we can see how modern applications remain vulnerable. Developers still occasionally overlook these safeguards.
It is also a reminder for WordPress users to keep plugins and core software updated. WordPress sites often rely on dozens of plugins, and even a single vulnerable component can expose the entire website to attacks.
Related Posts
