High-severity WordPress plugin flaw poses data compromise risk

Widely used WordPress plugin Ally, which focuses on website usability and accessibility, has been impacted by a high-severity security vulnerability, which could be harnessed to compromise sensitive information without authentication, reports BleepingComputer.

The flaw, tracked as CVE-2026-2413, is an SQL injection vulnerability that attackers can exploit to read, modify, or delete data from the website's database by injecting malicious SQL commands through a URL parameter, according to Acquia security engineer Drew Webber, who discovered the issue. Abuse does not require authentication but is only possible if the Remediation module is enabled and the plugin is connected to an Elementor account.

"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques," said WordFence researchers.

The vulnerability was fixed in version 4.1.0, released on February 23. WordPress data shows only about 36% of sites using the plugin have updated, leaving at least 250,000 websites still vulnerable.