An SQL injection vulnerability in the Ally WordPress plugin for Elementor (tracked as CVE-2026-2313) allows unauthenticated attackers to inject SQL via a URL parameter and potentially exfiltrate sensitive data. Elementor released a fix in Ally 4.1.0 after disclosure by Drew Webber of Acquia, but more than 250,000 sites remain vulnerable due to slow updates. #Ally #CVE-2026-2313
Keypoints
- An SQL injection bug affects all Ally versions up to 4.0.3 and is tracked as CVE-2026-2313.
- The flaw stems from improper escaping of a user-supplied URL parameter in get_global_remediations(), allowing SQL metacharacter injection.
- esc_url_raw() was applied for URL safety but does not prevent SQL injection, enabling time-based blind SQLi attacks.
- Exploitation requires the plugin to be connected to an Elementor account with the Remediation module active; Wordfence validated the issue and it was fixed in 4.1.0.
- Only about 36% of sites have updated to 4.1.0, leaving over 250,000 sites exposed; administrators should update Ally and install WordPress 6.9.2 immediately.