CVE-2026-2413 (GCVE-0-2026-2413)

Vulnerability from cvelistv5 – Published: 2026-03-11 04:25 – Updated: 2026-04-08 16:32
VLAI?
Title
Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path
Summary
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
Vendor Product Version
elemntor Ally – Web Accessibility & Usability Affected: 0 , ≤ 4.0.3 (semver)
Create a notification for this product.
Credits
Drew Webber
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2413",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T15:37:50.290909Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T15:39:46.935Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ally \u2013 Web Accessibility \u0026 Usability",
          "vendor": "elemntor",
          "versions": [
            {
              "lessThanOrEqual": "4.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Drew Webber"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Ally \u2013 Web Accessibility \u0026 Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:32:24.537Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/database/remediation-entry.php#L215"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/classes/utils.php#L17"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3467513/pojo-accessibility/trunk/modules/remediation/database/remediation-entry.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-12T17:01:46.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-10T16:11:03.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Ally \u2013 Web Accessibility \u0026 Usability \u003c= 4.0.3 - Unauthenticated SQL Injection via URL Path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-2413",
    "datePublished": "2026-03-11T04:25:46.393Z",
    "dateReserved": "2026-02-12T16:39:36.026Z",
    "dateUpdated": "2026-04-08T16:32:24.537Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-2413",
      "date": "2026-04-15",
      "epss": "0.26485",
      "percentile": "0.9633"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2413\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-11T05:18:01.063\",\"lastModified\":\"2026-03-11T13:52:47.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Ally \u2013 Web Accessibility \u0026 Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/classes/utils.php#L17\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/database/remediation-entry.php#L215\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3467513/pojo-accessibility/trunk/modules/remediation/database/remediation-entry.php\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2413\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T15:37:50.290909Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T15:39:31.737Z\"}}], \"cna\": {\"title\": \"Ally \\u2013 Web Accessibility \u0026 Usability \u003c= 4.0.3 - Unauthenticated SQL Injection via URL Path\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Drew Webber\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"elemntor\", \"product\": \"Ally \\u2013 Web Accessibility \u0026 Usability\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.0.3\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-12T17:01:46.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-03-10T16:11:03.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/database/remediation-entry.php#L215\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/classes/utils.php#L17\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3467513/pojo-accessibility/trunk/modules/remediation/database/remediation-entry.php\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Ally \\u2013 Web Accessibility \u0026 Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-08T16:32:24.537Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2413\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T16:32:24.537Z\", \"dateReserved\": \"2026-02-12T16:39:36.026Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-11T04:25:46.393Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.