High-Severity SQL Injection Flaw in WordPress Ally Plugin Exposes 250,000+ Sites A critical security vulnerability in the widely used WordPress plugin Ally designed to improve website accessibility and usability has been discovered, allowing unauthenticated attackers to extract, modify, or delete sensitive database information. The flaw, identified as CVE-2026-2413, is an SQL injection (SQLi) vulnerability that enables malicious actors to inject harmful SQL commands via a URL parameter. Discovered by Acquia security engineer Drew Webber, the exploit requires no authentication but is only executable if the plugin’s Remediation module is enabled and linked to an Elementor account. Researchers at Wordfence confirmed the attack method, noting that threat actors could leverage time-based blind SQL injection to extract data from vulnerable databases. The vulnerability was patched in version 4.1.0, released on February 23. However, WordPress usage data reveals that only 36% of sites running the plugin have applied the update, leaving an estimated 250,000+ websites exposed to potential exploitation. The flaw underscores the risks of delayed patching in widely deployed WordPress plugins.

The Maine Office of the Attorney General reported that Ally Bank experienced a data breach due to insider wrongdoing on May 25, 2023. The breach, discovered on July 25, 2023, affected 328 individuals, compromising financial account numbers, among other personal information. Identity theft protection services, specifically Equifax Complete Premier, were offered for 24 months.

The California Office of the Attorney General reported a data breach involving Ally Financial Inc on June 15, 2021. The breach occurred on February 18, 2021, due to a programming code error that exposed usernames and passwords to third parties, affecting an unspecified number of individuals.

The California Office of the Attorney General reported a data breach involving Ally Bank on December 13, 2018. The breach occurred on November 11, 2018, when a third-party supplier inadvertently transmitted personal information to another financial institution, potentially affecting unspecified individuals. The compromised information included names, Social Security numbers, and other personal details.