Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks

A vulnerability in the Ally WordPress plugin, which is designed for adding accessibility features to websites, could be exploited to extract sensitive information from the databases of over 200,000 sites.

Tracked as CVE-2026-2413 (CVSS score of 7.5), the bug is described as an SQL injection issue via the URL path and stems from user-supplied URL parameters in a certain method not being sufficiently sanitized.

The sanitization mechanism fails to prevent the injection of SQL metacharacters such as single quotes and parentheses, WordPress security firm Defiant explains.

“This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” the security firm notes.

The issue was identified in the plugin’s implementation of the ‘subscribers’ query functionality, which does not use the WordPress wpdb prepare() function, meant to parameterize and escape SQL queries for safe execution.

This allows attackers to inject custom SQL queries that are executed in WordPress, and to take a Time-Based blind SQL injection approach for information exfiltration.

Advertisement. Scroll to continue reading.

The patch for this security defect adds the wpdb prepare() function to the sanitization workflow, thus enabling the protection against SQL injection.

The fix was included in Ally version 4.1.0, which was released on February 23.

WordPress statistics show that, as of March 11, roughly 60% of all installations were running a vulnerable iteration of the plugin. Since Ally has over 400,000 active installations, more than 200,000 websites are likely exposed to potential attacks.

Originally published by SecurityWeek

Full Analysis