High-Severity SQL Injection Flaw in Ally WordPress Plugin Exposed 246,600 Sites A critical SQL injection vulnerability (CVE-2026-2413) in the Ally WordPress plugin a web accessibility tool from Elementor left approximately 246,600 websites vulnerable to data theft. The flaw, discovered by security researcher Drew Webber of Acquia, allowed unauthenticated attackers to inject malicious SQL queries into databases, enabling the extraction of sensitive information via time-based blind SQL injection techniques. The vulnerability, rated 7.5/10 (high severity), affected all versions of Ally up to 4.0.3. It was patched on February 23 with the release of version 4.1.0. Despite over 400,000 active installations, only 38.4% (153,600 sites) had updated to the secure version at the time of disclosure, leaving the majority exposed. WordPress, which has long emphasized the security risks posed by third-party plugins, urged users to immediately update both Ally and the core platform. WordPress 6.9.2, released recently, addressed 10 vulnerabilities, including XSS, authorization bypass, and SSRF flaws. The incident underscores the persistent threat of plugin-based vulnerabilities in the WordPress ecosystem, where outdated or unsupported extensions remain a primary attack vector.