Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks

A vulnerability in the Ally WordPress plugin, which is designed for adding accessibility features to websites, could be exploited to extract sensitive information from the databases of over 200,000 sites.

Tracked as CVE-2026-2413 (CVSS score of 7.5), the bug is described as an SQL injection issue via the URL path and stems from user-supplied URL parameters in a certain method not being sufficiently sanitized.

The sanitization mechanism fails to prevent the injection of SQL metacharacters such as single quotes and parentheses, WordPress security firm Defiant explains.

“This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” the security firm notes.

The issue was identified in the plugin’s implementation of the ‘subscribers’ query functionality, which does not use the WordPress wpdb prepare() function, meant to ...