SQL injection flaw in Elementor’s Ally plugin puts 400,000 WordPress sites at risk
3 min. read 
Published on
A newly disclosed SQL injection flaw in Elementor’s Ally plugin could let attackers extract sensitive data from vulnerable WordPress sites without logging in. The bug, tracked as CVE-2026-2413, affects Ally versions through 4.0.3 and was fixed in version 4.1.0, which Elementor released on February 23, 2026.
The risk is significant because Ally has about 400,000 active installations, according to the plugin listing. Wordfence says the vulnerability stems from insufficient escaping of a user-supplied URL value inside the get_global_remediations() method, which leaves the door open to unauthenticated time-based blind SQL injection.
There is an important limitation, though. Wordfence says exploitation is only possible if the plugin is connected to an Elementor account and the Remediation module is active. That means not every site running a vulnerable version is equally exposed, but any site that meets those conditions should patch immediately.
What the vulnerability does
Wordfence describes CVE-2026-2413 as an unauthenticated SQL injection issue that can be abused through the URL path. NVD’s description matches that finding and says all Ally versions up to and including 4.0.3 are affected.
In practice, SQL injection bugs can allow attackers to read sensitive information from a site’s database, including user records and, in some cases, password hashes or other internal data. Wordfence explicitly says this flaw could be used to extract sensitive information from the database via time-based blind SQL injection techniques.
Key details
| Item | Detail |
|---|---|
| CVE | CVE-2026-2413 |
| Affected versions | Ally up to and including 4.0.3 |
| Fixed version | 4.1.0 |
| Attack type | Unauthenticated SQL injection |
| Exploitation requirements | Elementor account connected and Remediation module active |
| Active installations | About 400,000 |
Source: Wordfence, NVD, and the WordPress plugin page.
Why the “250,000+ sites” figure appeared
The claim that more than 250,000 sites remain exposed comes from combining the plugin’s roughly 400,000 active installs with the report that only about 36% had upgraded to 4.1.0 at the time of publication. That estimate is directionally reasonable, but the more stable figure from the official plugin listing is the 400,000 active-install base.
What site owners should do now
- Update Ally to version 4.1.0 immediately.
- Check whether the plugin is connected to an Elementor account and whether the Remediation module is enabled.
- Review database access logs and suspicious requests if your site was exposed on a vulnerable version. This is a sensible defensive step based on the nature of SQL injection, though the sources above do not provide a specific log-review procedure.
- Update WordPress core as well. WordPress.org says version 6.9.2 is a security release and recommends installing it immediately.
FAQ
It is an unauthenticated SQL injection vulnerability in Elementor’s Ally plugin for WordPress.
All versions up to and including 4.0.3 are affected, and version 4.1.0 contains the fix.
No. Wordfence says the plugin must be connected to an Elementor account and the Remediation module must be active for exploitation to work.
The WordPress plugin page lists about 400,000 active installations.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages