SQL Injection Vulnerability in Elementor Ally Plugin
Summary
Hide ▲
Show ▼
An SQL injection vulnerability (CVE-2026-2313) in the Elementor Ally WordPress plugin, with over 400,000 installations, allows unauthenticated attackers to inject SQL queries via the URL path. The flaw affects versions up to 4.0.3 and can be exploited to steal sensitive data. Only 36% of users have updated to the patched version 4.1.0, leaving over 250,000 sites vulnerable. The vulnerability arises from insufficient escaping of user-supplied URL parameters in the `get_global_remediations()` method, enabling time-based blind SQL injection attacks. Exploitation requires the plugin to be connected to an Elementor account with the Remediation module active. WordPress 6.9.2, released recently, addresses multiple vulnerabilities, including XSS, authorization bypass, and SSRF flaws, and is recommended for immediate installation.
Timeline
-
11.03.2026 21:38 1 articles · 23h ago
SQL Injection Vulnerability in Elementor Ally Plugin Disclosed
An SQL injection vulnerability (CVE-2026-2313) in the Elementor Ally WordPress plugin, with over 400,000 installations, allows unauthenticated attackers to inject SQL queries via the URL path. The flaw affects versions up to 4.0.3 and can be exploited to steal sensitive data. Only 36% of users have updated to the patched version 4.1.0, leaving over 250,000 sites vulnerable. The vulnerability arises from insufficient escaping of user-supplied URL parameters in the `get_global_remediations()` method, enabling time-based blind SQL injection attacks. Exploitation requires the plugin to be connected to an Elementor account with the Remediation module active. WordPress 6.9.2, released recently, addresses multiple vulnerabilities, including XSS, authorization bypass, and SSRF flaws, and is recommended for immediate installation.
Show sources
- SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites — www.bleepingcomputer.com — 11.03.2026 21:38
Information Snippets
-
The vulnerability is tracked as CVE-2026-2313 and has a high severity score.
First reported: 11.03.2026 21:381 source, 1 articleShow sources
- SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites — www.bleepingcomputer.com — 11.03.2026 21:38
-
The flaw was discovered by Drew Webber, an offensive security engineer at Acquia.
First reported: 11.03.2026 21:381 source, 1 articleShow sources
- SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites — www.bleepingcomputer.com — 11.03.2026 21:38
-
The vulnerability affects all Ally versions up to 4.0.3.
First reported: 11.03.2026 21:381 source, 1 articleShow sources
- SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites — www.bleepingcomputer.com — 11.03.2026 21:38
-
Exploitation requires the plugin to be connected to an Elementor account with the Remediation module active.
First reported: 11.03.2026 21:381 source, 1 articleShow sources
- SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites — www.bleepingcomputer.com — 11.03.2026 21:38
-
Only 36% of users have updated to the patched version 4.1.0, leaving over 250,000 sites vulnerable.
First reported: 11.03.2026 21:381 source, 1 articleShow sources
- SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites — www.bleepingcomputer.com — 11.03.2026 21:38
-
WordPress 6.9.2 addresses 10 vulnerabilities, including XSS, authorization bypass, and SSRF flaws.
First reported: 11.03.2026 21:381 source, 1 articleShow sources
- SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites — www.bleepingcomputer.com — 11.03.2026 21:38