Security & Infrastructure Tools
SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
SQL injection vulnerability in Elementor’s Ally plugin (CVE‑2026‑2313) threatens over 250,000 WordPress sites. The flaw allows unauthenticated attackers to inject SQL via a URL parameter in the `get_global_remediations()` method, enabling data theft and time‑based blind SQL injections. The issue is fixed in version 4.1.0 released on February 23, but only about 36% of sites have upgraded, leaving many still vulnerable. WordPress also released a new patch (6.9.2) addressing several security flaws; administrators should update both the plugin and WordPress immediately.
SQL Injection Vulnerability in Elementor’s “Ally” Plugin Threatens Over 250,000 WordPress Sites
A critical SQL injection flaw has been discovered in the Ally plugin—an accessibility and usability extension from Elementor that boasts more than 400,000 installations worldwide. The vulnerability, catalogued as CVE‑2026‑2313, allows an unauthenticated attacker to inject malicious SQL queries through a user‑supplied URL parameter. This flaw is present in all versions of the plugin up to 4.0.3.
How the Attack Works
The problem originates from improper handling of the get_global_remediations() function. The user‑supplied URL parameter is concatenated directly into an SQL JOIN clause without proper sanitization or parameterization. Although esc_url_raw() is applied for URL safety, it does not neutralize SQL metacharacters such as single quotes and parentheses. As a result, attackers can append additional SQL statements to existing queries, enabling them to read, modify, or delete sensitive data from the database using time‑based blind SQL injection techniques.
Affected Sites
WordPress.org statistics show that only about 36 % of sites using Ally have upgraded to the patched version 4.1.0. Consequently, more than 250,000 WordPress installations remain vulnerable to CVE‑2026‑2313.
Remediation Steps
- Upgrade Ally – Install the latest plugin version (4.1.0) released on February 23. This patch eliminates the injection vector by properly sanitizing all input before building SQL queries.
- Update WordPress Core – The newest WordPress release, 6.9.2, addresses ten critical vulnerabilities—including cross‑site request forgery (XSS), authorization bypass, and server‑side request forgery (SSRF). Site owners should apply this update immediately to strengthen overall security posture.
The flaw was reported by Drew Webber of Acquia’s offensive security team and rewarded with an $800 bug bounty upon disclosure. While the vulnerability can only be exploited if the plugin is linked to an Elementor account and its Remediation module is active, the widespread use of Ally underscores the urgency for prompt remediation.
Stay vigilant: review your plugins, keep core WordPress updated, and consider regular security audits to detect similar vulnerabilities before attackers exploit them.