Vulnerabilities Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks The issue allows attackers to inject SQL queries and extract sensitive information from the database. By Ionut Arghire | March 12, 2026 (8:43 AM ET) Flipboard Reddit Whatsapp Whatsapp Email A vulnerability in the Ally WordPress plugin, which is designed for adding accessibility features to websites, could be exploited to extract sensitive information from the databases of over 200,000 sites. Tracked as CVE-2026-2413 (CVSS score of 7.5), the bug is described as an SQL injection issue via the URL path and stems from user-supplied URL parameters in a certain method not being sufficiently sanitized. The sanitization mechanism fails to prevent the injection of SQL metacharacters such as single quotes and parentheses, WordPress security firm Defiant explains . “This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” the security firm notes. The issue was identified in the plugin’s implementation of the ‘subscribers’ query functionality, which does not use the WordPress wpdb prepare() function, meant to parameterize and escape SQL queries for safe execution. This allows attackers to inject custom SQL queries that are executed in WordPress, and to take a Time-Based blind SQL injection approach for information exfiltration. Advertisement. Scroll to continue reading. The patch for this security defect adds the wpdb prepare() function to the sanitization workflow, thus enabling the protection against SQL injection. The fix was included in Ally version 4.1.0, which was released on February 23. WordPress statistics show that, as of March 11, roughly 60% of all installations were running a vulnerable iteration of the plugin. Since Ally has over 400,000 active installations, more than 200,000 websites are likely exposed to potential attacks. Related: Critical King Addons Vulnerability Exploited to Hack WordPress Sites Related: Critical N8n Vulnerabilities Allowed Server Takeover Related: Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Related: How to 10x Your Vulnerability Management Program in the Agentic Era Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire 238,000 Impacted by Bell Ambulance Data Breach Scanner Raises $22 Million for AI-Powered Threat Hunting Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Quantro Security Emerges From Stealth With $2.5 Million in Funding Microsoft Patches 83 Vulnerabilities Adobe Patches 80 Vulnerabilities Across Eight Products SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Escape Raises $18 Million to Automate Pentesting Latest News The Human IOC: Why Security Professionals Struggle with Social Vetting Splunk, Zoom Patch Severe Vulnerabilities Cisco Patches High-Severity IOS XR Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Senate Confirms Joshua Rudd to Lead NSA and US Cyber Command MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Business software company Rippling as appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. Netskope has appointed Joseph Welsh as leader of US public sector sales. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email