- Ally WordPress plugin had SQL injection vulnerability (CVE-2026-2413)
- The vulnerability left around 246,600 sites exposed to data theft
- Fixed in version 4.1.0; WordPress requests immediate updates
A popular WordPress plugin with hundreds of thousands of active installations had a high-severity vulnerability that allowed malicious actors to steal sensitive data from websites, experts have warned.
Ally is a web accessibility tool from Elementor, released in November 2025 as a tool that not only identifies accessibility issues, but also offers solutions and guides web administrators through the process of their application.
But according to security researcher Drew Webber of Acquia, Ally had an SQL injection vulnerability that allows unauthenticated attackers to submit data to the SQL database without proper cleanup.
Article continues below
Thousands of vulnerable websites
“This allows unauthenticated attackers to add additional SQL queries to already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” Webber noted.
The bug is tracked as CVE-2026-2413 and received a severity score of 7.5/10 (high). This affects all versions up to 4.0.3 and was fixed on February 23, through version 4.1.0.
Looking at the WordPress.org website, there are currently over 400,000 active installations, with 38.4% (153,600) running the latest version. This leaves around 246,600 websites vulnerable.
WordPress is generally considered a safe website building platform, with the majority of vulnerabilities coming from third-party plugins and themes. This is why most security professionals advise users to only keep the plugins and themes they use and make sure they are updated at all times.
Besides upgrading Ally, users should also upgrade the platform itself, as it recently released the latest security update, with WordPress 6.9.2 fixing 10 vulnerabilities, including a cross-site request (XSS) flaw, an authorization bypass vulnerability, and a server-side request forgery (SSRF) bug.
WordPress urges its customers to install the latest version “immediately.”
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
