An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for net accessibility and value with greater than 400,000 installations, may very well be exploited to steal delicate information with out authentication.
The security problem, tracked as CVE-2026-2313, acquired a excessive severity rating. It was found by Drew Webber (mcdruid), an offensive security engineer at Acquia, a software-as-a-service firm that gives an enterprise-level Digital Expertise Platform (DXP).
SQL injection flaws have been round for greater than 25 years and proceed to be a menace in the present day, regardless of being properly understood and technically simple to repair and keep away from. This kind of security problem happens when person enter is instantly inserted into an SQL database question with out correct sanitization or parameterization.
This permits an attacker to inject SQL instructions that alter the question’s habits to learn, modify, or delete data within the database.
CVE-2026-2313 impacts all Ally variations as much as 4.0.3 and lets an unauthenticated attacker to inject SQL queries through the URL path resulting from improper dealing with of a user-supplied URL parameter in a crucial operate.
“This is because of inadequate escaping on the user-supplied URL parameter within the `get_global_remediations()` technique, the place it’s instantly concatenated into an SQL JOIN clause with out correct sanitization for SQL context,” reads a technical evaluation from WordFence.
“Whereas `esc_url_raw()` is utilized for URL security, it doesn’t stop SQL metacharacters (single quotes, parentheses) from being injected.
“This makes it potential for unauthenticated attackers to append further SQL queries into already current queries that can be utilized to extract delicate data from the database through time-based blind SQL injection methods,” the researchers clarify.
Wordfence notes that exploiting the vulnerability is feasible provided that the plugin is related to an Elementor account and its Remediation module is lively.
The security agency validated the flaw and disclosed it to the seller on February 13. Elementor fastened the flaw in model 4.1.0 (newest), launched on February 23, and an $800 bug bounty was awarded to the researcher.
Data from WordPress.org exhibits that solely about 36% of internet sites utilizing the Ally plugin have upgraded to model 4.1.0, leaving greater than 250,000 websites weak to CVE-2026-2313.
Along with upgrading Ally to model 4.1.0, website house owners/directors are additionally beneficial to put in the most recent security replace for WordPress, launched yesterday.
WordPress 6.9.2, addresses 10 vulnerabilities, together with cross-site request (XSS), authorization bypass, and server-side request forgery (SSRF) flaws. The brand new model of the platform is beneficial to be put in “instantly.”
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your security stack is blinded.
