Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk (original) (raw)

A security flaw in the Ally WordPress plugin used on more than 400,000 sites could allow attackers to extract sensitive data without logging in.

A person receiving a notification of security breach on his laptop.

Image: Adobe

A vulnerability in a widely used WordPress accessibility plugin could allow attackers to steal sensitive data from affected websites without requiring a login.

The flaw affects the Ally plugin developed by Elementor, which is installed on hundreds of thousands of sites worldwide

This vulnerability “… can be leveraged to extract sensitive data from the database, such as password hashes,” Wordfence researchers said.

1 Semperis Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Small, Medium, Large, Enterprise Features Advanced Attacks Detection, Advanced Automation, Anywhere Recovery, and more

2 ManageEngine Log360 Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Micro (0-49 Employees), Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Micro, Small, Medium, Large, Enterprise Features Activity Monitoring, Blacklisting, Dashboard, and more

Inside the Elementor Ally plugin vulnerability

The Ally plugin, developed by Elementor, is designed to improve accessibility and usability on WordPress websites by providing automated remediation tools and interface adjustments for users with disabilities.

Features include accessibility scanning, remediation suggestions, and front-end interface improvements intended to help websites meet accessibility standards.

According to Wordfence, the plugin has more than 400,000 installations, making it widely deployed across blogs, corporate websites, and enterprise platforms.

CVE-2026-2413

Researchers recently identified a vulnerability in the plugin tracked as CVE-2026-2413 that affects all versions of Ally up to 4.0.3. The flaw could allow attackers to extract sensitive information from a website’s underlying database under certain conditions, particularly when specific plugin features are enabled.

The issue arises from a SQL injection vulnerability, which occurs when an application fails to properly validate or sanitize user input before including it in database queries.

When input controls are weak, attackers can insert malicious SQL commands into the query, allowing them to manipulate how the database responds. This can enable unauthorized access to sensitive information or allow attackers to modify or delete stored data.

How the SQL injection works

In this case, the vulnerability exists within the plugin’s get_global_remediations() function.

According to Wordfence researchers, the issue occurs because a user-controlled URL parameter is inserted directly into an SQL JOIN clause without proper sanitization for the SQL context.

Although the plugin attempts to validate the parameter with esc_url_raw() to ensure it is a valid URL, that safeguard is not designed to prevent SQL injection. The function does not filter SQL metacharacters such as quotation marks or parentheses, which attackers can use to manipulate the database query.

As a result, attackers may be able to append additional SQL logic to the query and perform time-based blind SQL injection attacks. This technique allows attackers to infer database contents indirectly by sending crafted queries and analyzing variations in server response times.

Exploitation conditions and patch

The vulnerability can be exploited without authentication, meaning attackers do not need valid login credentials to attempt exploitation.

However, Wordfence notes that the attack is only possible when the plugin is connected to an Elementor account and its Remediation module is enabled.

Elementor has released a patch addressing the vulnerability.

How to reduce the WordPress attack surface

Organizations running WordPress should take proactive measures to minimize the risk of exploitation from vulnerable plugins and other common web application security threats.

Patch the Ally plugin to the latest version and ensure WordPress is updated to the latest supported release.
Disable unused WordPress features and plugins, and use attack surface management tools to identify unnecessary or exposed components.
Deploy a web application firewall (WAF) and monitor web server logs for unusual requests, suspicious query patterns, or signs of SQL injection attempts.
Apply the principle of least privilege to WordPress database accounts to limit the potential impact of a successful SQL injection attack.
Restrict access to WordPress administrative interfaces using identity controls, IP allowlists, or VPN-based access.
Maintain an inventory of plugins and continuously monitor vulnerability disclosures affecting the WordPress ecosystem.
Regularly test incident response plans and build playbooks around plug-in and WordPress exploitation scenarios.

As WordPress continues to power a large portion of the internet, vulnerabilities in widely used plugins can quickly create broad attack surfaces for threat actors.

Organizations should prioritize patch management, strong input validation practices, and continuous monitoring of third-party components to reduce exposure.

Editor’s note: This article originally appeared on our sister website, eSecurityPlanet.