WordPress Plugin Vulnerabilities

Ally < 4.1.0 - Unauthenticated SQLi via URL Path

Description

The plugin is vulnerable to SQL Injection via the URL path due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.

Affects Plugins

Plugin icon
pojo-accessibility
Fixed in 4.1.0

References

CVE
CVE-2026-2413
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Drew Webber (mcdruid)
Verified
No
WPVDB ID
9cc78cbc-edc9-40b4-b156-4fcbc13d4625

Timeline

Publicly Published
2026-03-10 (about 2 months ago)
Added
2026-03-10 (about 2 months ago)
Last Updated
2026-03-10 (about 2 months ago)

Other

Published
Title
Published
2019-07-16
Title
Web Librarian < 3.5.5 - SQL Injection
Published
2024-05-06
Title
KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection
Published
2014-08-01
Title
Ajax Gallery <= 3.0 - SQL Injection
Published
2023-06-19
Title
All In One Redirection < 2.2.0 - Admin+ SQLi
Published
2023-11-20
Title
WP Mail Log < 1.1.3 - Editor+ SQL Injection via id