An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication.
The security issue, tracked as CVE-2026-2413, received a high severity score. It was discovered by Drew Webber (mcdruid), an offensive security engineer at Acquia, a software-as-a-service company that provides an enterprise-level Digital Experience Platform (DXP).
SQL injection flaws have been around for more than 25 years and continue to be a threat today, despite being well understood and technically easy to fix and avoid. This type of security issue occurs when user input is directly inserted into an SQL database query without proper sanitization or parameterization.
This allows an attacker to inject SQL commands that alter the query’s behavior to read, modify, or delete information in the database.
CVE-2026-2413 affects all Ally versions up to 4.0.3 and lets an unauthenticated attacker to inject SQL queries via the URL path due to improper handling of a user-supplied URL parameter in a critical function.
“This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context,” reads a technical analysis from WordFence.
“While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected.
“This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” the researchers explain.
Wordfence notes that exploiting the vulnerability is possible only if the plugin is connected to an Elementor account and its Remediation module is active.
The security firm validated the flaw and disclosed it to the vendor on February 13. Elementor fixed the flaw in version 4.1.0 (latest), released on February 23, and an $800 bug bounty was awarded to the researcher.
Data from WordPress.org shows that only about 36% of websites using the Ally plugin have upgraded to version 4.1.0, leaving more than 250,000 sites vulnerable to CVE-2026-2413.
In addition to upgrading Ally to version 4.1.0, site owners/administrators are also recommended to install the latest security update for WordPress, released yesterday.
WordPress 6.9.2, addresses 10 vulnerabilities, including cross-site request (XSS), authorization bypass, and server-side request forgery (SSRF) flaws. The new version of the platform is recommended to be installed "immediately."
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.