A critical security vulnerability identified as CVE-2026-2413 has been discovered in the Ally WordPress plugin, potentially exposing over 400,000 websites to data theft. This unauthenticated SQL injection flaw allows attackers to bypass security measures and extract sensitive information, such as password hashes, directly from a site's database.
The Ally plugin, previously known as One Click Accessibility, is a popular tool designed to help website owners improve digital accessibility through AI-driven scanners and automated statements. On February 4, 2026, security researcher Drew Webber identified a flaw in how the plugin handles specific database queries. Because the plugin failed to use standard WordPress security functions to sanitize user input, it became possible for an external party to manipulate the underlying SQL code without needing to log in.
The technical root of the problem lies in the insecure concatenation of URL parameters within the plugin’s internal methods. Specifically, the software used a basic URL cleaning function that was insufficient for preventing SQL-based attacks, as it did not block characters like single quotes or parentheses. By leveraging time-based blind SQL injection techniques, an attacker could force the server to pause its response based on specific database values, effectively leaking data piece by piece through these delays.
Following the discovery, the flaw was reported through a bug bounty program, leading to a coordinated disclosure process with the vendor. The developers were notified in mid-February and worked to implement a fix that utilizes proper query parameterization. This update ensures that user-supplied data is treated as plain text rather than executable code, successfully closing the loophole that allowed for unauthorized database access.
Security experts and the plugin developers now urge all administrators to update to version 4.1.0 immediately to protect their systems. Given the large user base and the sensitive nature of the data at risk, staying on older versions poses a significant security threat. Verifying that the patch is active is the most effective way to safeguard site information and maintain the integrity of the WordPress installation.
Source: Critical SQL Injection Flaw In Ally Plugin Puts 400,000+ WordPress Sites At Risk