High-Severity SQL Injection Flaw in Ally WordPress Plugin Exposed 246,600 Sites
A critical SQL injection vulnerability (CVE-2026-2413) in the Ally WordPress plugin a web accessibility tool from Elementor left approximately 246,600 websites vulnerable to data theft. The flaw, discovered by security researcher Drew Webber of Acquia, allowed unauthenticated attackers to inject malicious SQL queries into databases, enabling the extraction of sensitive information via time-based blind SQL injection techniques.
The vulnerability, rated 7.5/10 (high severity), affected all versions of Ally up to 4.0.3. It was patched on February 23 with the release of version 4.1.0. Despite over 400,000 active installations, only 38.4% (153,600 sites) had updated to the secure version at the time of disclosure, leaving the majority exposed.
WordPress, which has long emphasized the security risks posed by third-party plugins, urged users to immediately update both Ally and the core platform. WordPress 6.9.2, released recently, addressed 10 vulnerabilities, including XSS, authorization bypass, and SSRF flaws.
The incident underscores the persistent threat of plugin-based vulnerabilities in the WordPress ecosystem, where outdated or unsupported extensions remain a primary attack vector.
Elementor cybersecurity rating report: https://www.rankiteo.com/company/elementor
WordPress cybersecurity rating report: https://www.rankiteo.com/company/wordpress
"id": "ELEWOR1773333877",
"linkid": "elementor, wordpress",
"type": "Vulnerability",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '246,600 websites',
'industry': 'Web Development/Accessibility',
'name': 'Ally WordPress Plugin (Elementor)',
'size': '400,000 active installations',
'type': 'Software/Plugin'}],
'attack_vector': 'Unauthenticated SQL Injection',
'data_breach': {'data_exfiltration': 'Possible via SQL injection',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive information'},
'date_resolved': '2024-02-23',
'description': 'A critical SQL injection vulnerability (CVE-2026-2413) in the '
'Ally WordPress plugin, a web accessibility tool from '
'Elementor, left approximately 246,600 websites vulnerable to '
'data theft. The flaw allowed unauthenticated attackers to '
'inject malicious SQL queries into databases, enabling the '
'extraction of sensitive information via time-based blind SQL '
'injection techniques.',
'impact': {'data_compromised': 'Sensitive information',
'systems_affected': '246,600 websites'},
'lessons_learned': 'The incident underscores the persistent threat of '
'plugin-based vulnerabilities in the WordPress ecosystem, '
'where outdated or unsupported extensions remain a primary '
'attack vector.',
'post_incident_analysis': {'corrective_actions': 'Patch released (version '
'4.1.0) and update '
'recommendations issued.',
'root_causes': 'SQL injection vulnerability in '
'Ally WordPress plugin '
'(CVE-2026-2413)'},
'recommendations': 'Immediately update Ally WordPress plugin to version 4.1.0 '
'and ensure core WordPress platform is updated to the '
'latest version.',
'references': [{'source': 'Drew Webber of Acquia'}],
'response': {'communication_strategy': 'WordPress urged users to immediately '
'update',
'containment_measures': 'Patch released (version 4.1.0)',
'remediation_measures': 'Update to version 4.1.0'},
'stakeholder_advisories': 'WordPress urged users to immediately update both '
'Ally and the core platform.',
'title': 'High-Severity SQL Injection Flaw in Ally WordPress Plugin Exposed '
'246,600 Sites',
'type': 'SQL Injection',
'vulnerability_exploited': 'CVE-2026-2413'}