Description
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
Published: 2026-03-11
Score: 7.5 High
EPSS: 27.9% Moderate
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

The Ally – Web Accessibility & Usability WordPress plugin is vulnerable to SQL Injection via the URL path. User input is concatenated directly into an SQL JOIN clause without proper sanitization, allowing an attacker to inject SQL metacharacters. This results in a time‑based blind injection that can extract sensitive data from the database, providing a clear pathway for unauthorized information disclosure. The weakness is classified as CWE‑89.

Affected Systems

All versions of the Ally – Web Accessibility & Usability plugin up to and including 4.0.3 are impacted. The vulnerability exists when the Remediation module is active, which requires the plugin to be connected to an Elementor account. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate to high severity, and the EPSS score of 15% suggests a non-negligible chance of exploitation. The vulnerability is not present in the CISA KEV catalog. Attackers can exploit the flaw via unauthenticated HTTP requests to the plugin’s URL path, bypassing any credential checks. Given the lack of authentication requirement and the potential for data exfiltration, the risk to affected sites is significant.

Generated by OpenCVE AI on March 17, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ally – Web Accessibility & Usability plugin to a version newer than 4.0.3 to remove the vulnerable code.
  • If an immediate update is not possible, disable the Remediation module or deactivate the plugin entirely to eliminate the attack surface.
  • Apply web‑application firewall rules to block suspicious SQL injection patterns on the affected URL paths and monitor database logs for abnormal queries.

Generated by OpenCVE AI on March 17, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elemntor
Elemntor ally – Web Accessibility & Usability
Wordpress
Wordpress wordpress
Vendors & Products Elemntor
Elemntor ally – Web Accessibility & Usability
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
Title Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Elemntor Ally – Web Accessibility & Usability
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T15:39:46.935Z

Reserved: 2026-02-12T16:39:36.026Z

Link: CVE-2026-2413

cve-icon Vulnrichment

Updated: 2026-03-11T15:39:31.737Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T05:18:01.063

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-2413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:57Z

Weaknesses