SQL Injection Vulnerability in Ally – Web Accessibility & Usability Plugin for WordPress

CVE-2026-2413

What is CVE-2026-2413?

CVE-2026-2413 is a SQL Injection vulnerability found in the Ally – Web Accessibility & Usability plugin for WordPress, affecting all versions up to and including 4.0.3. This plugin is designed to enhance web accessibility and usability for WordPress sites. The vulnerability arises from inadequate escaping of user-supplied URL parameters in the get_global_remediations() method. Specifically, the plugin directly concatenates these parameters into an SQL JOIN clause without sufficient sanitization for the SQL context. Although esc_url_raw() is applied for URL safety, it fails to prevent the injection of SQL metacharacters, enabling unauthenticated attackers to append malicious SQL queries. This presents a significant threat as attackers could potentially exploit the vulnerability to extract sensitive data from the database using time-based blind SQL injection techniques. Notably, the impact is contingent upon the Remediation module being active, which necessitates the plugin's connection to an Elementor account.

Potential impact of CVE-2026-2413

1. Data Breach Risk: Attackers can exploit SQL Injection to access and extract sensitive information stored in the database, including user credentials, personal identifiable information (PII), and other confidential data. This could lead to significant privacy violations and compliance issues for organizations.

2. Service Disruption: By manipulating database queries, attackers may disrupt the normal operations of affected websites, potentially leading to downtime or performance degradation, which can adversely affect user experience and reduce trust in the affected services.

3. Reputation Damage: Organizations that experience a data breach or service disruption due to this vulnerability may suffer long-term reputational damage. Loss of customer trust can result in decreased user engagement and financial losses, particularly for businesses reliant on their online presence.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References