An SQL Injection Vulnerability Discovered in Ally Plugin for WordPress
A recently identified SQL injection vulnerability in the Ally plugin, a WordPress tool developed by Elementor that facilitates web accessibility and usability, has sparked concern within the digital community.
With over 400,000 installations, this flaw poses a significant risk, enabling malicious actors to potentially exfiltrate sensitive data without necessitating user authentication.
This security issue, designated as CVE-2026-2413, has been assigned a high severity rating. It was unearthed by Drew Webber, an offensive security engineer affiliated with Acquia, a company renowned for providing an enterprise-level Digital Experience Platform (DXP).
SQL injection vulnerabilities have plagued the digital landscape for over 25 years, remaining a persistent threat despite their well-documented nature and relative ease of mitigation.
Such vulnerabilities arise when user inputs are incorporated directly into SQL database queries without adequate sanitization or parameterization.
This negligence permits an assailant to manipulate the query’s function, enabling them to read, modify, or even erase information stored within a database.
The identified CVE-2026-2413 affects all versions of Ally up to and including 4.0.3, allowing an unauthenticated perpetrator to inject SQL queries into the URL path due to inadequate handling of a user-supplied URL parameter in a critical operational function.
“The issue stems from insufficient escaping of the user-supplied URL parameter within the `get_global_remediations()` method; it is directly concatenated into an SQL JOIN clause without appropriate sanitization for SQL contexts,” elucidates a technical analysis provided by WordFence.
“While the function `esc_url_raw()` is employed for URL safety, it fails to inhibit the injection of SQL metacharacters such as single quotes and parentheses.
“Consequently, unauthenticated attackers can append additional SQL queries to pre-existing ones, potentially extracting sensitive information via time-based blind SQL injection techniques,” the researchers further clarify.
According to Wordfence, the exploitation of this vulnerability is viable solely when the plugin is linked to an Elementor account and its Remediation module is activated.
The security firm confirmed the existence of the flaw and reported it to the vendor on February 13. Elementor rectified the issue in version 4.1.0, released on February 23, rewarding the researcher with an $800 bug bounty.
Data from WordPress.org indicates that merely 36% of websites utilizing the Ally plugin have transitioned to version 4.1.0, leaving over 250,000 websites susceptible to CVE-2026-2413.
In light of this vulnerability, site owners and administrators are urged to upgrade Ally to version 4.1.0 and implement the latest security update for WordPress, which was released just yesterday.
The recently launched WordPress version 6.9.2 addresses ten identified vulnerabilities, including cross-site request (XSS), authorization bypass, and server-side request forgery (SSRF) flaws. Immediate installation of this new version is strongly recommended.
Source link: Bleepingcomputer.com.
