FKIE_CVE-2026-2413

Vulnerability from fkie_nvd - Published: 2026-03-11 05:18 - Updated: 2026-04-22 21:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/classes/utils.php#L17
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/database/remediation-entry.php#L215
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset/3467513/pojo-accessibility/trunk/modules/remediation/database/remediation-entry.php
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Ally \u2013 Web Accessibility \u0026 Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account."
    },
    {
      "lang": "es",
      "value": "El plugin Ally \u2013 Web Accessibility \u0026amp; Usability para WordPress es vulnerable a inyecci\u00f3n SQL a trav\u00e9s de la ruta URL en todas las versiones hasta la 4.0.3, inclusive. Esto se debe a un escape insuficiente en el par\u00e1metro URL proporcionado por el usuario en el m\u00e9todo `get_global_remediations()`, donde se concatena directamente en una cl\u00e1usula SQL JOIN sin una sanitizaci\u00f3n adecuada para el contexto SQL. Si bien se aplica `esc_url_raw()` para la seguridad de la URL, no evita que se inyecten metacaracteres SQL (comillas simples, par\u00e9ntesis). Esto hace posible que atacantes no autenticados a\u00f1adan consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n sensible de la base de datos a trav\u00e9s de t\u00e9cnicas de inyecci\u00f3n SQL ciega basada en tiempo. El m\u00f3dulo de remediaci\u00f3n debe estar activo, lo que requiere que el plugin est\u00e9 conectado a una cuenta de Elementor."
    }
  ],
  "id": "CVE-2026-2413",
  "lastModified": "2026-04-22T21:27:27.950",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-11T05:18:01.063",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/classes/utils.php#L17"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/pojo-accessibility/tags/4.0.3/modules/remediation/database/remediation-entry.php#L215"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset/3467513/pojo-accessibility/trunk/modules/remediation/database/remediation-entry.php"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.