High-Severity SQL Injection in Ally WordPress Plugin Threatens 400K Sites

A high-severity SQL Injection vulnerability was found in Ally, a popular web accessibility and usability WordPress plugin. With over 400,000 active installations, the flaw presents a massive attack surface for unauthenticated hackers looking to raid sensitive databases.

The vulnerability, tracked as CVE-2026-2413, carries a CVSS score of 7.5. It was discovered by security researcher Drew Webber through the Wordfence Bug Bounty Program, earning a $800 discovery fee just five days after the flaw was introduced into the plugin’s code.

The flaw exists in the plugin’s get_global_remediations() method, which fails to properly sanitize URL parameters before including them in a database query. While the plugin attempted some safety measures, they were unfortunately insufficient to block a determined attacker.

As the Wordfence report explains, “While esc_url_raw() is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected”.

Because the user-supplied URL parameter is “directly concatenated into an SQL JOIN clause without proper sanitization,” unauthenticated attackers can append their own queries to the existing ones. This allows them to extract highly sensitive data—such as password hashes—from the WordPress database.

The specific method used is known as a Time-Based blind SQL injection. This technique is particularly “intricate, yet frequently successful,” as it involves using SQL CASE statements and the SLEEP() function to exfiltrate data byte-by-byte based on the server’s response time.

For a site to be at risk, the Remediation module within the Ally plugin must be active. This specific module requires the plugin to be connected to an Elementor account. While this narrows the field of immediate victims, the high installation count of the plugin means thousands of sites remain in the crosshairs.

The vendor has moved quickly to resolve the issue by implementing a more secure coding standard. “The vendor patched this issue by using the wpdb prepare() function in the JOIN statement,” which ensures that user input is safely bound rather than simply concatenated.

We urge users to update their sites with the latest patched version of Ally, version 4.1.0 at the time of this publication, as soon as possible.