A critical SQL injection vulnerability discovered in a widely used WordPress plugin has placed more than 400,000 websites at risk of database data exposure.
Security researchers at Wordfence identified the flaw in “Ally – Web Accessibility & Usability,” a plugin designed to improve website accessibility. The issue affects versions up to 4.0.3 and has been assigned CVE-2026-2413.
The vulnerability could allow attackers to extract sensitive information directly from a site’s database.
The issue lies in the improper handling of user-supplied input within the plugin’’’s code. Specifically, a function responsible for retrieving remediation data for a webpage inserts a URL parameter directly into a database query without proper SQL sanitization.
Although the plugin applied URL sanitation through the “esc_url_raw()” function, that measure only protects against unsafe URLs, not SQL manipulation. Without using WordPress’ database parameterization function (wpdb->prepare()), attackers could inject malicious SQL statements into the query.
It enables time-based blind SQL injection where attackers infer database data by measuring server response times after sending specially crafted queries, and could allow could allow unauthorized users to extract sensitive information such as:
- Password hashes
- User account data
- Configuration details stored in the WordPress database
The attack does not require authentication, meaning it could potentially be exploited by anyone who discovers a vulnerable site.
After disclosure, the plugin was updated with fixes in version 4.1.0, replacing the unsafe SQL concatenation with the WordPress prepare() function to safely bind user input.
Website administrators using the Ally plugin should update to version 4.1.0 or later immediately to protect their sites from potential exploitation.
And ensure your WordPress environment is safe by:
- Keeping all WordPress plugins and themes updated
- Removing unused plugins
- Using a web application firewall (WAF) where possible
Because SQL injection vulnerabilities can expose sensitive database data, delaying updates could leave sites vulnerable to attackers scanning the internet for outdated plugins. Large-scale vulnerabilities like this serve as another reminder that even widely used plugins can introduce serious security risks if not properly maintained.
Leave a Reply