- Ally WordPress plugin had SQL injection vulnerability (CVE-2026-2413)
- Vulnerability left ~246,600 websites vulnerable to data theft
- Fixed in version 4.1.0; WordPress encourages immediate updates
A popular WordPress plugin with hundreds of thousands of active installations carried a serious vulnerability that allowed malicious actors to steal sensitive data from websites, experts have warned.
Ally is a web accessibility tool from Elementor, released in November 2025 as a tool that not only identifies accessibility issues, but also offers solutions and guides webmasters through the process of applying them.
But according to Acquia security researcher Drew Webber, Ally carried an SQL injection vulnerability that allows unauthorized attackers to send data to the SQL database without proper sanitation.
The article continues below
Thousands of vulnerable websites
“This allows unauthorized attackers to add additional SQL queries to pre-existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” Webber noted.
The bug is tracked as CVE-2026-2413 and received a severity score of 7.5/10 (high). It affects all versions up to 4.0.3 and was fixed on February 23rd through version 4.1.0.
Looking at the WordPress.org website, there are more than 400,000 active installations right now, with 38.4% (153,600) running the latest version. That leaves around 246,600 vulnerable websites.
WordPress is generally considered a secure website building platform, with the majority of vulnerabilities coming from third-party plugins and themes. This is why most security experts advise users to keep only the plugins and themes that they use and keep them updated at all times.
In addition to upgrading Ally, users should also upgrade the platform itself, as it recently released the latest security update, with WordPress 6.9.2 fixing 10 vulnerabilities, including a cross-site flaw (XSS), an authorization bypass vulnerability, and a server-side forgery (SSRF) flaw.
WordPress encourages its customers to install the latest version “immediately.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
