Another worrying WordPress plugin security flaw could put 250,000 websites at risk
techradar.com
- Ally WordPress plugin carried SQL injection flaw (CVE-2026-2413)
- Vulnerability left ~246,600 sites exposed to data theft
- Fixed in version 4.1.0; WordPress urges immediate updates
A popular WordPress plugin with hundreds of thousands of active installations carried a high-severity vulnerability that allowed malicious actors to steal sensitive data from websites, experts have warned.
Ally is a web accessibility tool from Elementor, released in November 2025 as a tool that not just identifies accessibility issues but also offers solutions and walks web admins through the process of applying them.
But according to security researcher Drew Webber from Acquia, Ally was carrying an SQL injection vulnerability that allows unauthenticated attackers to submit data to the SQL database without proper sanitation.
Article continues below
Thousands of vulnerable websites
“This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used ...
Copyright of this story solely belongs to techradar.com . To see the full text click HERE