SQL Injection Vulnerability in Elementor Ally Plugin Affects 250,000+ WordPress Sites

SQL Injection Vulnerability in Elementor Ally Plugin Affects 250,000+ WordPress Sites

First seen 12 Mar 2026, 14:52 UTC BleepingcomputerFeeds.FeedburnerSecurityweekSecurityaffairs.CoTechradar+4 80% similarity 72.0

Article Content

Browse articles
ThreatCluster

A critical SQL injection vulnerability, tracked as CVE-2026-2313, has been discovered in the Ally WordPress plugin, which is used on over 400,000 sites. This flaw allows unauthenticated attackers to inject SQL commands via a user-supplied URL parameter, potentially leading to the theft of sensitive data. The vulnerability was identified by Drew Webber from Acquia and has a high severity score. Elementor released a patch in version 4.1.0 on February 23, 2026, but only 36% of affected sites have upgraded, leaving more than 250,000 sites vulnerable. Additionally, WordPress 6.9.2 was released on March 11, 2026, addressing multiple vulnerabilities. Site owners are urged to upgrade both the Ally plugin and WordPress to mitigate risks. The vulnerability highlights ongoing issues with SQL injection flaws, which remain a significant threat despite being well understood.

Key Points: • CVE-2026-2313 allows SQL injection in the Ally plugin affecting over 250,000 sites. • Only 36% of users have upgraded to the patched version, leaving many vulnerable. • WordPress 6.9.2 released to address multiple vulnerabilities, including XSS and SSRF.

ThreatCluster AI

Timeline

2026-02-11
CVE-2026-2313 published
2026-02-23
Patch for CVE-2026-2313 released in version 4.1.0
2026-03-11
WordPress 6.9.2 released to address vulnerabilities
2026-03-11
CVE-2026-2413 published
2026-03-12
Articles published reporting on the vulnerability and its impact

Community

Browse all →