A SQL injection vulnerability (CVE-2026-2413) in the Ally WordPress plugin allowed unauthenticated attackers to perform time-based blind SQL injection and extract sensitive database information from over 200,000 sites. A patch included in Ally 4.1.0 adds wpdb prepare() sanitization to address the flaw, but as of March 11 roughly 60% of installations remained vulnerable. #Ally #CVE20262413
Keypoints
- CVE-2026-2413 is a SQL injection vulnerability in the Ally pluginβs URL path handling.
- Unsanitized user-supplied URL parameters in the βsubscribersβ query allowed injection of SQL metacharacters.
- Unauthenticated attackers could use time-based blind SQL injection to exfiltrate sensitive database information.
- The plugin did not use the WordPress wpdb prepare() function, leaving queries unparameterized and unsafe.
- Ally 4.1.0, released Feb 23, patches the issue, but about 60% of installations (~200,000+ sites) remained exposed as of March 11.
Read More: https://www.securityweek.com/ally-wordpress-plugin-flaw-exposes-over-200000-websites-to-attacks/