CVE-2026-2413 is an SQL Injection vulnerability in the Ally – Web Accessibility & Usability WordPress plugin by elemntor, affecting all versions up to 4.0.3. The vulnerability exists because the get_global_remediations() method concatenates a user-supplied URL parameter directly into an SQL JOIN clause without proper SQL context sanitization. The function esc_url_raw() is used but does not prevent injection of SQL metacharacters such as single quotes and parentheses. This allows unauthenticated attackers to append additional SQL queries, potentially extracting sensitive database information via time-based blind SQL injection. The attack surface is limited to cases where the Remediation module is active and the plugin is connected to an Elementor account. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact.

Successful exploitation can lead to unauthorized extraction of sensitive information from the plugin's database due to SQL Injection. The vulnerability does not impact integrity or availability but has a high confidentiality impact. Attackers do not require authentication or user interaction, increasing the risk. However, exploitation requires the Remediation module to be active and connection to an Elementor account, which may limit exposure.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is provided in the available data. Until a patch is available, consider disabling the Remediation module or disconnecting the plugin from the Elementor account to reduce exposure. Monitor vendor communications for updates and apply official fixes promptly once released.