AN unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS 7.5), in the Ally WordPress plugin could allow attackers to steal sensitive data from more than 400,000 sites. The vulnerability stems from insecure handling of the subscribers query, with the plugin concatenating a user-supplied URL parameter into an SQL JOIN clause without proper sanitization, even though esc_url_raw() is used.
By exploiting a time-based blind SQL injection, attackers could use CASE statements and SLEEP() delays to gradually extract data such as password hashes. The flaw was discovered by Acquia’s Drew Webber on 4 February 2026 and was responsibly reported through the Wordfence Bug Bounty Programme, which also noted that WordPress users should update to Ally version 4.1.0 to mitigate the risk.
WordFence published the advisory stating that the vulnerability affects versions up to and including 4.0.3, and the development team addressed the issue by applying the wpdb prepare() function in the JOIN statement, with a patch released on 23 February 2026. According to WordFence, users are urged to verify their sites are updated to the latest patched version as soon as possible given the vulnerability’s critical nature.