An unauthenticated SQL injection flaw (CVE-2026-2413) in the Ally WordPress plugin, used on 400K+ sites, could allow attackers to steal sensitive data.
An unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS score 7.5), in Ally plugin could allow attackers to steal sensitive data. The offensive security engineer Drew Webber at Acquia discovered the vulnerability on February 4, 2026.
Ally (formerly One Click Accessibility) is a free WordPress plugin that helps creators build accessible websites. It offers an accessibility scanner with AI suggestions, a usability widget for visitors, and an automated accessibility statement generator. The plugin is used on over 400,000 WordPress sites.
The flaw could allow attackers to extract sensitive database data, including password hashes. The issue was responsibly reported by Drew Webber through the Wordfence Bug Bounty Program, earning an $800 bounty. Wordfence notified Elementor on February 13, the vendor acknowledged the report on February 15, and released a patch on February 23, 2026.
Users are urged to update to Ally version 4.1.0 to mitigate the risk.
EXPLORE MORE
UK ‘Rape Gang Inquiry’ presentation goes viral as survivors reveal harrowing abuse
READER DISCRETION STRONGLY ADVISED. A labeled portion of the following article, and…
SpaceX signs $30 billion AI deal with Google — RT World News
Anthropic similarly agreed to pay Elon Musk’s tech company $45 billion for…
Why the Best Open-World Games Are Ditching Quest Logs (And How ‘Little Red’ Plans to Master It)
Remember the last time you opened an open-world RPG, took one look…
Missing Juvenile Omari Manson- Brown from the 35th District Has Returned Home
The Philadelphia Police Department is seeking the public’s assistance in locating missing…
From Windows to macOS: ClickFix attacks shift tactics with ChatGPT-based lures
ClickFix campaigns are evolving, with attackers increasingly targeting macOS users and deploying…
DarkSword emerges as powerful iOS exploit tool in global attacks
DarkSword, a new iOS exploit kit, is used by multiple actors to…
The vulnerability stems from insecure handling of the subscribers query in Ally. The plugin builds a SQL JOIN query using a page URL parameter without using WordPress’ wpdb->prepare() function, which normally escapes and parameterizes queries.
Although esc_url_raw() is used, it does not prevent SQL injection. This flaw allows attackers to inject malicious SQL. By exploiting it with time-based blind SQL injection, using CASE statements and SLEEP() delays, an attacker could gradually extract sensitive information from the database.
“The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3.” reads the advisory published by WordFence. “This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. “
The development team addressed the issue by using the wpdb prepare() function in the JOIN statement.
“The vulnerability has been addressed in version 4.1.0 of the plugin.” concludes the advisory. “We encourage WordPress users to verify that their sites are updated to the latest patched version of Ally as soon as possible considering the critical nature of this vulnerability.”
