New WordPress Plugin Vulnerability Puts 250,000 Sites at Risk

New Security Vulnerability in WordPress Plugin Threatens 250,000 Websites

Last updated on March 14, 2026March 15, 2026 by Souvik Banerjee on Categories WordPress

The Ally WordPress plugin suffered from an SQL injection vulnerability (CVE-2026-2413)

Approximately 246,600 sites were left vulnerable to information theft

Corrected in version 4.1.0; WordPress calls for immediate updates

A widely-utilized WordPress plugin, boasting active installations in the hundreds of thousands, has been found to harbor a critical vulnerability enabling the extraction of sensitive data by nefarious actors, warn cybersecurity experts.

The Ally plugin, crafted by Elementor and unveiled in November 2025, functions not merely as a web accessibility aid; it identifies accessibility hindrances while guiding administrators through remediation processes.

However, Drew Webber, a security researcher affiliated with Acquia, has indicated that Ally possesses an SQL injection flaw that permits unauthenticated users to input data into the SQL database without adequate sanitation measures.

A Precarious Situation for Numerous Websites

Webber elaborated, “This vulnerability permits unauthenticated adversaries to append additional SQL queries to existing ones, facilitating the extraction of confidential data from the database via time-based blind SQL injection methodologies.”

This security lapse, designated CVE-2026-2413, has been rated with a high-severity score of 7.5 out of 10. It affects all plugin versions up to 4.0.3 and received a fix on February 23, through version 4.1.0.

Currently, WordPress.org reports over 400,000 active installations, with a mere 38.4% (approximately 153,600) operating on the latest version, leaving an alarming 246,600 sites exposed.

Although WordPress is generally perceived as a secure website development platform, most vulnerabilities stem from third-party plugins and themes.

Security professionals typically advise users to keep only essential plugins and themes, ensuring they remain up to date.

In addition to updating the Ally plugin, users are also encouraged to upgrade the platform itself, as WordPress has recently disseminated a critical update; version 6.9.2 addresses ten vulnerabilities, including cross-site request (XSS) flaws, authorization bypass issues, and server-side request forgery (SSRF) bugs.

WordPress implores its user base to install the latest version “without delay.”

Source link: Techradar.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

Souvik Banerjee

I’m Souvik Banerjee from Kolkata, India. As a Marketing Manager at RS Web Solutions (RSWEBSOLS), I specialize in digital marketing, SEO, programming, web development, and eCommerce strategies. I also write tutorials and tech articles that help professionals better understand web technologies.