A security flaw in the Ally WordPress plugin could allow unauthenticated attackers to inject SQL queries and extract sensitive information from the databases of over 200,000 sites. Tracked as CVE-2026-2413 (CVSS 7.5), the vulnerability stems from an SQL injection via the URL path, caused by inadequate sanitisation of user-supplied URL parameters. According to Defiant, the sanitisation mechanism fails to block SQL metacharacters, enabling time-based blind SQL injection to exfiltrate data.
The patch adds the wpdb prepare() function to the sanitisation workflow, and the fix was included in Ally version 4.1.0, released on 23 February 2026. WordPress statistics show that as of 11 March 2026 roughly 60% of all installations were running a vulnerable iteration of the plugin, and with Ally having over 400,000 active installations, more than 200,000 websites are likely exposed to potential attacks.