Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ally WordPress plugin SQL injection SQL injection flaw (CVE-2026-2313)

Vulnerability
First reported
Last updated
Happening score
H score 0
1 unique sources, 1 articles

Summary

Hide ▲

Elementor's Ally WordPress plugin is exposed to CVE-2026-2313, an unauthenticated SQL injection flaw that can steal sensitive data from sites running versions up to 4.0.3. Wordfence validated the issue and Elementor fixed it in 4.1.0 on February 23. WordPress.org data suggests more than 250,000 sites may still be vulnerable.

Related Happenings

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

CISA KEV multi-product active exploitation wave (CVE-2020-7796)

Exploitation Wave
First: 18.02.2026 08:52 Last: 18.02.2026 08:52 Sources 1

About this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...

Open Happening

CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551

Public Sector Action
First: 04.02.2026 07:50 Last: 04.02.2026 07:50 Sources 1

About this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...

Open Happening

Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)

Advisory/Mitigation
First: 03.02.2026 18:15 Last: 03.02.2026 18:15 Sources 1

About this happening: **Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...

Open Happening

Service Finder WordPress theme active auth bypass exploitation wave (CVE-2025-5947)

Exploitation Wave
First: 08.10.2025 18:57 Last: 08.10.2025 18:57 Sources 1

About this happening: **CVE-2025-5947** is being exploited at scale against the **Service Finder WordPress theme**, with attackers using an authentication bypass to log in as administrators and take ov...

Open Happening

Timeline

  1. 11.03.2026 21:38 1 articles · 2mo ago

    Wordfence discloses validated CVE-2026-2313 in Ally

    Initial Disclosure

    Wordfence validated CVE-2026-2313 in Elementor's Ally WordPress plugin and disclosed the SQL injection flaw to Elementor on February 13 after confirming that unauthenticated attackers could inject SQL through the URL path when the plugin is connected to an Elementor account and its Remediation module is active.

    Show sources
    Open in new tab
  2. 11.03.2026 21:38 1 articles · 2mo ago

    Elementor releases Ally 4.1.0 to fix CVE-2026-2313

    Mitigation Patch Update

    Elementor released Ally 4.1.0 on February 23 to fix CVE-2026-2313, the SQL injection flaw affecting Ally versions up to 4.0.3, and awarded the researcher an $800 bug bounty after the vulnerability was corrected.

    Show sources
    Open in new tab
  3. 11.03.2026 21:38 2 articles · 2mo ago

    More than 250,000 Ally sites remain vulnerable to CVE-2026-2313

    Victim Impact Update

    WordPress.org data indicates only about 36% of websites using Ally have upgraded to 4.1.0, leaving more than 250,000 sites vulnerable to CVE-2026-2313, an unauthenticated SQL injection issue in Elementor's Ally WordPress plugin that can expose sensitive database data via the URL path.

    Show sources
    Open in new tab