CVE-2026-2413

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions The Ally – Web Accessibility & Usability plugin for WordPress versions prior to 4.1.0

Description The Ally – Web Accessibility & Usability plugin for WordPress is susceptible to SQL Injection through the URL path. This occurs because of inadequate escaping of the user-supplied URL parameter within the

get global remediations()

method. The parameter is directly incorporated into an SQL JOIN clause without appropriate sanitization for SQL context, despite the application of

esc url raw()

for URL safety, which does not prevent SQL metacharacters from being injected. This allows unauthenticated attackers to append additional SQL queries to existing queries, potentially extracting sensitive information from the database using time-based blind SQL injection techniques. The Remediation module must be active, requiring a connection to an Elementor account, for the vulnerability to be exploitable. Approximately 400,000 WordPress sites are affected.

Recommendations Update to version 4.1.0 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-2413

Affected Products

Ally – Web Accessibility & Usability

Elementor

CVE-2026-2413

Weakness Enumeration

Related Identifiers

Affected Products

References · 12