CVE-2026-2413

Name of the Vulnerable Software and Affected Versions The Ally – Web Accessibility & Usability plugin for WordPress versions prior to 4.1.0

Description The Ally – Web Accessibility & Usability plugin for WordPress is susceptible to SQL Injection through the URL path. This occurs because of inadequate escaping of the user-supplied URL parameter within the get global remediations() method. The parameter is directly incorporated into an SQL JOIN clause without appropriate sanitization for SQL context, despite the application of esc url raw() for URL safety, which does not prevent SQL metacharacters from being injected. This allows unauthenticated attackers to append additional SQL queries to existing queries, potentially extracting sensitive information from the database using time-based blind SQL injection techniques. The Remediation module must be active, requiring a connection to an Elementor account, for the vulnerability to be exploitable. Approximately 400,000 WordPress sites are affected.

Recommendations Update to version 4.1.0 or later.