CVE-2026-2413

HIGH NUCLEI

Ally Web Accessibility & Usability Plugin <=4.0.3 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2413. PoCs published by p3Nt3st3r-sTAr, Sechunt3r. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits an unauthenticated time-based blind SQL injection vulnerability in the WordPress Ally plugin (versions <= 4.0.3). The exploit uses a crafted payload to trigger a delay-based SQL query, confirming vulnerability via response timing.

Description

The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.

Exploits (2)

nomisec WORKING POC
by p3Nt3st3r-sTAr · poc
https://github.com/p3Nt3st3r-sTAr/CVE-2026-2413-POC

This repository contains a functional Python script that exploits an unauthenticated time-based blind SQL injection vulnerability in the WordPress Ally plugin (versions <= 4.0.3). The exploit uses a crafted payload to trigger a delay-based SQL query, confirming vulnerability via response timing.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ally – Web Accessibility & Usability plugin <= v4.0.3
No auth needed
Prerequisites: Remediation module must be active · Plugin must be connected to an Elementor account
devstral-2 · analyzed Mar 18, 2026 Full analysis →
github WORKING POC
by Sechunt3r · shellpoc
https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2026-2413

This repository contains a functional exploit for CVE-2026-2413, an unauthenticated time-based blind SQL injection vulnerability in the Ally – Web Accessibility & Usability WordPress plugin (versions <= 4.0.3). The exploit leverages insufficient sanitization in the `get_global_remediations()` method, allowing SQL metacharacters to be injected via the URL path.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Ally – Web Accessibility & Usability WordPress plugin <= 4.0.3
No auth needed
Prerequisites: Remediation module must be active (plugin connected to Elementor account)
devstral-2 · analyzed Mar 11, 2026 Full analysis →

Nuclei Templates (1)

Ally – Web Accessibility & Usability <= 4.0.3 - SQL Injection
HIGHVERIFIEDby Shivam Kamboj

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.2728
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
elemntor/Ally – Web Accessibility & Usability < 4.0.3
Published Mar 11, 2026
Tracked Since Mar 11, 2026