Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
A recently discovered SQL Injection vulnerability in the Ally WordPress plugin has put over 400,000 sites at risk. This vulnerability poses a significant threat, allowing attackers to extract sensitive data from databases.
On February 4th, 2026, security researcher Drew Webber, known as mcdruid, identified and reported an unauthenticated SQL Injection vulnerability in the Ally plugin. The vulnerability, affecting all versions up to 4.0.3, was promptly addressed through the Wordfence Bug Bounty Program. Webber was awarded $800 for his discovery, highlighting the importance of vigilant vulnerability research in maintaining WordPress security.
Wordfence, committed to enhancing WordPress security through defense in depth, acted swiftly. They disclosed the vulnerability details to the Elementor team on February 13th, 2026. The team responded promptly, releasing a patch by February 23rd, 2026, in version 4.1.0 of the Ally plugin. Wordfence users, including those using the free version, are already protected against exploits targeting this vulnerability through their firewall’s SQL Injection protection.
Unauthenticated SQL Injection: A High-Risk Threat
The vulnerability, identified under CVE-2026-2413, received a CVSS rating of 7.5, classifying it as high risk. The flaw stems from insufficient escaping of user-supplied URL parameters in the get_global_remediations() method. The method concatenates these parameters directly into an SQL JOIN clause, bypassing the necessary sanitization for SQL contexts.
This oversight enables unauthenticated attackers to append malicious SQL queries to existing ones, potentially extracting sensitive information through time-based blind SQL injection techniques. Notably, the esc_url_raw() function, while applied for URL safety, does not prevent SQL metacharacter injection, underscoring the need for rigorous security practices.
Why Immediate Action is Crucial for Site Operators
The urgency for site operators to update to version 4.1.0 cannot be overstated. Failing to patch leaves sites vulnerable to data breaches, potentially compromising user credentials and more. The Ally plugin connects to Elementor accounts via the Remediation module, which must be active, increasing the potential attack surface.
Wordfence’s continued investment in their Bug Bounty Program, offering substantial incentives, exemplifies the proactive approach required to combat high-threat vulnerabilities. Their current promotion, running until April 6th, 2026, offers triple incentives for identifying and reporting high-threat vulnerabilities, further encouraging the community to contribute to WordPress security.
What To Do
- Site Operators: Immediately update the Ally plugin to version 4.1.0 to mitigate the vulnerability risk.
- Developers: Review your code for similar vulnerabilities, ensuring the use of WordPress’s
wpdb::prepare()function to escape SQL queries. - Security Researchers: Participate in the Wordfence Bug Bounty Program to help identify and report vulnerabilities.
