Ethical Hacking News
A critical SQL injection flaw has been discovered in the popular WordPress plugin Ally, which leaves millions of websites vulnerable to cyber attacks. The vulnerability was reported by an offensive security engineer and addressed by the development team within days.
A critical SQL injection flaw (CVE-2026-2413) has been discovered in the Ally WordPress plugin, affecting over 400,000 websites. The vulnerability allows attackers to extract sensitive data from affected sites' databases, including password hashes. The issue was identified by an Acquia engineer and responsibly reported through Wordfence Bug Bounty Program. The vulnerability stems from insecure handling of the subscribers query in Ally, allowing malicious SQL code injection. A patched version (4.1.0) has been released to address the issue, urging users to update their plugins immediately.
Critical SQL injection flaw discovered in popular WordPress plugin Ally, which is used on over 400,000 websites worldwide. The vulnerability, tracked as CVE-2026-2413 (CVSS score 7.5), allows attackers to extract sensitive data from the affected sites' databases, including password hashes.
The Ally plugin, formerly known as One Click Accessibility, offers a range of features designed to help creators build accessible and usable websites. However, a critical vulnerability in the plugin's code has left millions of WordPress sites exposed to cyber attacks. The issue was discovered by an offensive security engineer named Drew Webber at Acquia, who responsibly reported it through the Wordfence Bug Bounty Program.
According to the report, the vulnerability stems from the insecure handling of the subscribers query in Ally. The plugin builds a SQL JOIN query using a page URL parameter without properly sanitizing or parameterizing it. This allows attackers to inject malicious SQL code and extract sensitive information from the affected sites' databases.
The development team behind the Ally plugin has since addressed the issue by releasing a patched version, version 4.1.0. Users are urged to update their plugins to this latest version as soon as possible to mitigate the risk of exploitation. In fact, the Wordfence advisory published on February 13 notes that "the vulnerability has been addressed in version 4.1.0 of the plugin."
The impact of this vulnerability is significant, given the scale of use by Ally across millions of WordPress sites. Many of these sites rely on the plugin to build accessible and usable websites, which could be compromised if attackers gain access to sensitive data. The development team's swift response in addressing the issue has helped minimize the risk, but it remains crucial for users to take action.
In conclusion, this discovery serves as a stark reminder of the importance of regular software updates and vulnerability testing in protecting against cyber attacks. As security threats continue to evolve, it is essential for organizations and individuals alike to prioritize robust cybersecurity practices and stay informed about emerging vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-SQL-Injection-Flaw-Exposed-in-Ally-Plugin-Leaves-Millions-of-WordPress-Sites-Vulnerable-to-Cyber-Attacks-ehn.shtml
https://securityaffairs.com/189354/security/critical-sql-injection-bug-in-ally-plugin-threatens-400000-wordpress-sites.html
https://www.wordfence.com/blog/2026/03/400000-wordpress-sites-affected-by-unauthenticated-sql-injection-vulnerability-in-ally-wordpress-plugin/
https://securityonline.info/high-severity-sql-injection-in-ally-wordpress-plugin-threatens-400k-sites/
https://nvd.nist.gov/vuln/detail/CVE-2026-2413
https://www.cvedetails.com/cve/CVE-2026-2413/
Published: Thu Mar 12 08:45:57 2026 by llama3.2 3B Q4_K_M
