CVE-2026-2413
published 2026-03-11CVE-2026-2413: The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.29%
81.0th percentile
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elemntor | ally_web_accessibility_usability | <= 4.0.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable function is `get_global_remediations()` — monitor for SQL metacharacters (single quotes, parentheses) injected via the URL path parameter in requests to this method, consistent with time-based blind SQLi payloads. ↗
- →Exploitation is unauthenticated — no session or authentication token is required. Look for anomalous SQL-like patterns in URL path values in web server access logs from unauthenticated requests. ↗
- →Fingerprint vulnerable WordPress installations by checking HTTP response body for the string `registerAllyAction` combined with a 200 or 404 status code.
- →Time-based blind SQL injection is the confirmed exploitation technique — detect via anomalously delayed database responses (e.g., SLEEP/BENCHMARK payloads) correlated with requests to the Ally plugin endpoint. ↗
- ·Exploitation requires the Ally plugin's Remediation module to be active AND the plugin to be connected to an Elementor account. Sites without this configuration are not exploitable even if running a vulnerable version. ↗
- ·`esc_url_raw()` is applied to the URL parameter but is insufficient for SQL context — it does not strip SQL metacharacters such as single quotes and parentheses, which are the injection vectors. ↗
- ·As of the reporting date, only ~36% of Ally plugin installations had upgraded to the patched version 4.1.0, leaving over 250,000 sites exposed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Ally – Web Accessibility & Usability <= 4.0.3 - SQL Injection
nuclei·CVSS 7.5
CVE-2026-2413 [HIGH] Ally – Web Accessibility & Usability <= 4.0.3 - SQL Injection
Ally – Web Accessibility & Usability =8'
- 'status_code==404 || status_code==200'
- 'contains(body, "registerAllyAction")'
condition: and
# digest: 490a004630440220232c43ee3b7d337353257f48279b79bacb92f27a36e86b249d84431dcd284b9702200f730b2be5e9b0fb98e6353b253630aadfd769c7aa80ed024f026475f57fe3a9:922c64590222798bb761d5b6d8e72950
Bleepingcomputer
SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
blogs_bleepingcomputer·2026-03-11·CVSS 7.5
CVE-2026-2413 [HIGH] SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
## SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
## Bill Toulas
An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication.
The security issue, tracked as CVE-2026-2413, received a high severity score. It was discovered by Drew Webber ( mcdruid ), an offensive security engineer at Acquia, a software-as-a-service company that provides an enterprise-level Digital Experience Platform (DXP).
SQL injection flaws have been around for more than 25 years and continue to be a threat today, despite being well understood and technically easy to fix and avoid. This type of security issue occurs when user input is directly inse
Wiz
CVE-2026-2413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2413 [CRITICAL] CVE-2026-2413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2413 :
WordPress vulnerability analysis and mitigation
get_global_remediations()
esc_url_raw()
Source : NVD
## 7.5
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 96.4
Exploitation Probability (EPSS) 27.9
Affected packages and libraries
pojo-accessibility
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Word
https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/classes/utils.php#L17https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/database/remediation-entry.php#L215https://plugins.trac.wordpress.org/changeset/3467513/pojo-accessibility/trunk/modules/remediation/database/remediation-entry.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25?source=cve
2026-03-11
Published