Severe SQL Injection Vulnerability in Ally Plugin Poses Threat to Over 400,000 WordPress Sites
Pierluigi Paganini
March 12, 2026
A critical SQL injection vulnerability (CVE-2026-2413) in the Ally WordPress plugin endangers sensitive data across 400,000+ installations.
A concerning SQL injection vulnerability, designated as CVE-2026-2413 with a CVSS score of 7.5, has been identified in the Ally plugin used by more than 400,000 WordPress sites.
The threat was uncovered by offensive security engineer Drew Webber at Acquia on February 4, 2026.
The Ally plugin, previously known as One Click Accessibility, is a complimentary tool designed to assist developers in creating accessible websites.
It features an accessibility scanner equipped with AI-generated suggestions, a usability widget for site visitors, and an automated generator for accessibility statements.
The plugin is widely adopted, with its usage spanning across a substantial number of WordPress sites.
This vulnerability might permit malicious actors to extract sensitive database information, including password hashes.
The issue has been responsibly communicated by Drew Webber through the Wordfence Bug Bounty Program, and he received an $800 reward for his findings.
Wordfence informed Elementor of the flaw on February 13, which the vendor acknowledged two days later, leading to a patch release on February 23, 2026.
Users are strongly advised to upgrade to Ally version 4.1.0 to alleviate the associated risks.
The root cause of this vulnerability lies in the improper handling of the subscriber’s query within the Ally plugin.
Specifically, the plugin constructs a SQL JOIN query using a URL parameter without employing WordPress’ wpdb->prepare() function, which typically ensures queries are securely escaped and parameterized.
Although the function esc_url_raw() is utilized, it does not sufficiently prevent SQL injection attacks. Consequently, this flaw opens a pathway for attackers to insert nefarious SQL commands.
By exploiting this vulnerability using time-based blind SQL injection techniques, such as incorporating CASE statements and SLEEP() delays, an assailant could progressively retrieve sensitive data from the database.
“The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3,” states the advisory released by WordFence.
This vulnerability is attributable to inadequate escaping of the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for the SQL context.
While `esc_url_raw()` aims to secure the URL, it fails to mitigate the injection of SQL metacharacters (such as single quotes and parentheses).
The development team has rectified the issue by incorporating the wpdb prepare() function into the JOIN statement.
“The vulnerability has been rectified in version 4.1.0 of the plugin,” concludes the advisory. “We urge WordPress users to confirm that their sites are updated to the latest patched version of Ally without delay, given the critical nature of this vulnerability.”
Source link: Securityaffairs.com.
