An SQL injection vulnerability in the WordPress plugin Ally poses a risk to more than 250,000 sites.
A security researcher from SaaS company Acquia discovered a vulnerability in Ally. Ally is a plugin found in Elementor, a tool that allows users to design their own WordPress websites. Due to an SQL injection vulnerability, hackers can steal sensitive data without requiring authentication.
High severity score
The vulnerability (CVE-2026-2413) affects all Ally versions up to and including 4.0.3 and has received a high severity score. SQL injection vulnerabilities have been around for several years and occur because user input is entered directly into the SQL database without validation or required parameters. Attackers can, in turn, execute SQL commands so that all information in the database can be read, according to Bleeping Computer.
Limited number of installations
In an analysis by Wordfence, it states that exploiting the vulnerability is only possible if the plugin is linked to an active Elementor account and if the recovery module is activated. Only 36 percent of the 400,000 installations have been upgraded to version 4.1.0. As a result, ‘only’ 250,000 websites are vulnerable to CVE-2026-2413.
In addition to upgrading Ally to version 4.1.0, website administrators are also advised to install the latest security update for WordPress, which was released on Monday.