A newly disclosed security vulnerability in a popular WordPress plugin is leaving hundreds of thousands of websites open to database attacks, even though a patch has already been released.
Cybersecurity researchers at Wordfence have warned that the issue affects the Ally WordPress plugin used on more than 400,000 sites, and originates from an SQL injection vulnerability that attackers can exploit without logging in. The vulnerability, tracked as CVE-2026-2413, allows malicious actors to extract sensitive data directly from a website’s database.
A Flaw That Opens the Door to Database Access
The vulnerability comes from how the plugin handles certain URL parameters. Instead of properly checking and filtering user input before sending it to the database, the plugin allows attackers to manipulate queries by inserting malicious SQL code.
This means a specially crafted URL can trigger unauthorized database queries. Researchers say attackers can use time-based blind SQL injection techniques, which rely on delays in server responses to gradually reveal information stored in the database.
According to Wordfence’s blog post, that information could include administrator accounts, email addresses, password hashes, or other sensitive records stored by the website.
Developers behind the Ally plugin released a fix in version 4.1.0 on February 23, addressing the vulnerability by correcting how database queries are handled. However, despite the availability of the update, adoption has been slow. According to security researchers, roughly 60% of installations were still running vulnerable versions as of March 11, leaving more than 200,000 websites exposed.
Why SQL Injection Still Keeps Appearing
Even though SQL injection has been known for decades, it remains one of the most common web security flaws. Commenting on the issue, Yagub Rahimov, CEO of Polygraf AI, said the vulnerability reflects a familiar development mistake.
“SQL injection is probably one of the oldest vulnerabilities in web security, and it keeps showing up because developers keep making the same mistake: concatenating user input directly into database queries instead of using parameterized statements,” Rahimov said.
He noted that WordPress already provides built-in protections to prevent this type of flaw. “WordPress provides wpdb prepare() to prevent this type of vulnerability, and it simply wasn’t used,” he explained.
If exploited, the consequences could extend beyond simple data exposure. According to Rahimov, the entire WordPress database may become accessible, including user accounts, email addresses, hashed passwords, and other sensitive records.
“What’s worse is the attack doesn’t require any authentication,” he added. “Anyone can trigger it by sending a crafted URL, and exploitation is straightforward to automate using widely known SQL injection tools.”
Because the vulnerability can be exploited remotely and without login credentials, it is particularly attractive for large-scale automated attacks.
“With 60% of installations still unpatched as of March 11, that’s over 200,000 sites sitting exposed after a fix has been available for two weeks,” Rahimov said.
He emphasized that the fix itself is simple. “The patch is a single function call. Sites running the Ally plugin need to update to version 4.1.0 immediately.”
What Website Owners Should Do
Website administrators using WordPress with the Ally plugin should update to version 4.1.0 or later immediately. Applying the update closes the SQL injection vulnerability and prevents attackers from abusing the vulnerable query handling.
Rahimov also advised organizations to review the type of information stored in their WordPress databases.
“Any organization that hasn’t already should audit what user data their WordPress installation holds and assume it may have been accessed if they were running a vulnerable version,” he said.
For now, the risk comes from the large number of websites still running outdated versions of the plugin, a fact that patching delays remain one of the biggest factors in real-world cyberattacks.
Waqas
