A serious security vulnerability has been discovered in Ally, a WordPress plugin developed by Elementor for improving website accessibility and usability.
The flaw could allow attackers to steal sensitive data from websites without needing to log in.
The vulnerability, tracked as CVE-2026-2313, affects all versions of the Ally plugin up to version 4.0.3. Security researchers say the issue could be exploited through an SQL injection attack, one of the most common and dangerous types of web security flaws.
The vulnerability was discovered by Drew Webber, an offensive security engineer at Acquia, a company that provides enterprise digital experience platforms. The issue has been given a high severity rating due to the risk it poses to hundreds of thousands of websites.
SQL injection attacks happen when user input is added directly into database queries without proper validation or protection. This allows attackers to insert malicious SQL commands that can change how the database query works. As a result, hackers may be able to read, modify, or delete data stored in a website’s database.
In this case, the flaw exists in a function called get_global_remediations() inside the Ally plugin. According to a technical analysis from Wordfence, the vulnerability is caused by insufficient sanitization of a URL parameter supplied by users.
The plugin uses a function called esc_url_raw() to clean the URL input. However, this function only ensures that the input is safe as a URL and does not prevent SQL special characters, such as quotes or parentheses, from being injected. Because of this, attackers can manipulate the SQL query by adding their own commands.
Researchers say attackers could exploit this weakness through time-based blind SQL injection techniques to extract sensitive information from a website’s database.
The attack is only possible if the Ally plugin is connected to an Elementor account and the Remediation module is enabled.
Wordfence reported the vulnerability to Elementor on February 13. The company released a fix in version 4.1.0 of the plugin on February 23. The researcher who discovered the flaw received an $800 bug bounty for the report.
However, update adoption has been slow. Data from WordPress.org shows that only about 36 percent of websites using the Ally plugin have upgraded to version 4.1.0, leaving more than 250,000 websites potentially vulnerable to the attack.
Security experts recommend that website administrators update the Ally plugin immediately to version 4.1.0 or later.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
In addition, WordPress users are also advised to install the latest WordPress security update. The recently released WordPress 6.9.2 patch fixes 10 vulnerabilities, including issues related to cross-site scripting, authorization bypass, and server-side request forgery. WordPress developers recommend installing the update as soon as possible to reduce security risks.





