cbcvebase.
CVE-2026-2413
published 2026-03-11

CVE-2026-2413: The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.29%
81.0th percentile
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.

Affected

1 ranges
VendorProductVersion rangeFixed in
elemntorally_web_accessibility_usability<= 4.0.3

Detection & IOCsextracted from sources · hover to see the quote

versionAlly – Web Accessibility & Usability <= 4.0.3
  • Vulnerable function is `get_global_remediations()` — monitor for SQL metacharacters (single quotes, parentheses) injected via the URL path parameter in requests to this method, consistent with time-based blind SQLi payloads.
  • Exploitation is unauthenticated — no session or authentication token is required. Look for anomalous SQL-like patterns in URL path values in web server access logs from unauthenticated requests.
  • Fingerprint vulnerable WordPress installations by checking HTTP response body for the string `registerAllyAction` combined with a 200 or 404 status code.
  • Time-based blind SQL injection is the confirmed exploitation technique — detect via anomalously delayed database responses (e.g., SLEEP/BENCHMARK payloads) correlated with requests to the Ally plugin endpoint.
  • ·Exploitation requires the Ally plugin's Remediation module to be active AND the plugin to be connected to an Elementor account. Sites without this configuration are not exploitable even if running a vulnerable version.
  • ·`esc_url_raw()` is applied to the URL parameter but is insufficient for SQL context — it does not strip SQL metacharacters such as single quotes and parentheses, which are the injection vectors.
  • ·As of the reporting date, only ~36% of Ally plugin installations had upgraded to the patched version 4.1.0, leaving over 250,000 sites exposed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.