Securityaffairs.Co
SQL Injection Vulnerability in Elementor Ally Plugin Affects 250,000+ WordPress Sites
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical SQL injection vulnerability, tracked as CVE-2026-2313, has been discovered in the Ally WordPress plugin, which is used on over 400,000 sites. This flaw allows unauthenticated attackers to inject SQL commands via a user-supplied URL parameter, potentially leading to the theft of sensitive data. The vulnerability was identified by Drew Webber from Acquia and has a high severity score. Elementor released a patch in version 4.1.0 on February 23, 2026, but only 36% of affected sites have upgraded, leaving more than 250,000 sites vulnerable. Additionally, WordPress 6.9.2 was released on March 11, 2026, addressing multiple vulnerabilities. Site owners are urged to upgrade both the Ally plugin and WordPress to mitigate risks. The vulnerability highlights ongoing issues with SQL injection flaws, which remain a significant threat despite being well understood.
Key Points: • CVE-2026-2313 allows SQL injection in the Ally plugin affecting over 250,000 sites. • Only 36% of users have upgraded to the patched version, leaving many vulnerable. • WordPress 6.9.2 released to address multiple vulnerabilities, including XSS and SSRF.