Another worrying WordPress plugin security flaw could put 250,000 websites at risk

News
By published

WordPress plugin Ally was carrying an SQL injection flaw

WordPress logo on mobile
(Image credit: Shutterstock)
  • Ally WordPress plugin carried SQL injection flaw (CVE-2026-2413)
  • Vulnerability left ~246,600 sites exposed to data theft
  • Fixed in version 4.1.0; WordPress urges immediate updates

A popular WordPress plugin with hundreds of thousands of active installations carried a high-severity vulnerability that allowed malicious actors to steal sensitive data from websites, experts have warned.

Ally is a web accessibility tool from Elementor, released in November 2025 as a tool that not just identifies accessibility issues but also offers solutions and walks web admins through the process of applying them.

But according to security researcher Drew Webber from Acquia, Ally was carrying an SQL injection vulnerability that allows unauthenticated attackers to submit data to the SQL database without proper sanitation.

Article continues below

Thousands of vulnerable websites

“This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” Webber noted.

The bug is tracked as CVE-2026-2413, and was given a severity score of 7.5/10 (high). It affects all versions up to 4.0.3, and was fixed on February 23, through the version 4.1.0.

Looking at the WordPress.org website, there are more than 400,000 active installations right now, with 38.4% (153,600) running the latest version. That leaves roughly 246,600 vulnerable websites.

WordPress is generally considered a safe website builder platform, with the majority of vulnerabilities coming from third-party plugins and themes. That is why most security professionals advise users only keep those plugins and themes that they’re using and make sure they’re updated at all times.

Besides upgrading Ally, users should also upgrade the platform itself, since it recently released the latest security update, with WordPress 6.9.2 fixing 10 vulnerabilities, including a cross-site request (XSS) flaw, an authorization bypass vulnerability, and a server-side forgery request (SSRF) bug.

WordPress urges its customers to install the latest version “immediately.”

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.