- Ally WordPress plugin had a SQL injection flaw (CVE-2026-2413)
- The vulnerability left ~246,600 sites exposed to data theft
- Fixed in version 4.1.0; WordPress urges immediate updates
A popular WordPress plugin with hundreds of thousands of active installations had a high severity vulnerability that allowed malicious actors to steal sensitive data from websites, experts warned.
Ally is a web accessibility tool from Elementor, launched in November 2025 as a tool that not only identifies accessibility issues but also offers solutions and guides web administrators through the application process.
But according to security researcher Drew Webber of Acquia, Ally had a SQL injection vulnerability that allows unauthenticated attackers to send data to the SQL database without proper sanitization.
Article continues below.
Thousands of vulnerable websites
“This makes it possible for unauthenticated attackers to add additional SQL queries to already existing queries that can be used to extract sensitive information from the database using blind time-based SQL injection techniques,” Webber said.
The bug is tracked as CVE-2026-2413 and was assigned a severity score of 7.5/10 (High). It affects all versions up to 4.0.3 and was fixed on February 23 through 4.1.0.
On the WordPress.org website, there are over 400,000 active installations right now, of which 38.4% (153,600) are running the latest version. That leaves approximately 246,600 websites vulnerable.
WordPress is generally considered a secure website building platform, and most vulnerabilities come from third-party plugins and themes. This is why most security professionals recommend users to only keep the plugins and themes they are using and make sure they are up to date at all times.
In addition to updating Ally, users should also update the platform itself, as it recently released the latest security update, with WordPress 6.9.2 fixing 10 vulnerabilities, including a cross-site request flaw (XSS), an authorization bypass vulnerability, and a server-side request forgery (SSRF) bug.
WordPress encourages its customers to install the latest version “immediately.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
