Security vulnerability in "Ally" WordPress Plugin affects 400.000 websites
Attackers can execute their own commands via a vulnerability in the WordPress plugin "Ally". Admins should install the security patch.
(Image: Tatiana Popova/Shutterstock.com)
Due to a security vulnerability, attackers can attack WordPress websites on which the plugin "Ally – Web Accessibility & Usability" is installed. So far, there are no reports that attackers are already exploiting the vulnerability.
SQL Injection
Security researchers from Wordfence report on the vulnerability (CVE-2026-2413, risk "high") in a post. Due to insufficient checks, attackers can execute their own SQL commands without authentication via prepared URLs. If such an attack is successful, attackers gain access to actually isolated data such as password hashes.
Videos by heise
As can be seen from the plugin website, Ally has 400.000 active installations. These websites are potentially vulnerable. The developers assure that the vulnerability in Ally – Web Accessibility & Usability 4.1.0 has been closed. All versions up to and including 4.0.3 are said to be threatened.
The security researchers state that the vulnerability was reported in early February via their bug bounty program. The developers then released the security update at the end of February.
(des)
