"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques."
"The issue was identified in the plugin's implementation of the 'subscribers' query functionality, which does not use the WordPress wpdb prepare() function, meant to parameterize and escape SQL queries for safe execution."
"The sanitization mechanism fails to prevent the injection of SQL metacharacters such as single quotes and parentheses, WordPress security firm Defiant explains."
The Ally WordPress plugin, used by over 400,000 sites for accessibility features, contains a critical SQL injection vulnerability (CVE-2026-2413, CVSS 7.5) in its subscribers query functionality. The vulnerability stems from insufficient sanitization of user-supplied URL parameters, allowing SQL metacharacters like single quotes and parentheses to bypass security checks. Unauthenticated attackers can inject malicious SQL queries to extract sensitive database information using time-based blind SQL injection techniques. The root cause is the plugin's failure to use WordPress's wpdb prepare() function for parameterizing SQL queries. The vulnerability was patched in version 4.1.0 released February 23, but approximately 60% of installations remained vulnerable as of March 11, exposing over 200,000 websites to potential attacks.
#sql-injection-vulnerability #wordpress-plugin-security #database-exploitation #cve-2026-2413 #accessibility-plugin-risk
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]