SQL injection flaw in Elementor’s Ally plugin puts 400,000 WordPress sites at risk

A newly disclosed SQL injection flaw in Elementor’s Ally plugin could let attackers extract sensitive data from vulnerable WordPress sites without logging in. The bug, tracked as CVE-2026-2413, affects Ally versions through 4.0.3 and was fixed in version 4.1.0, which Elementor released on February 23, 2026. The risk is significant because Ally has about 400,000 […] The post SQL injection flaw in Elementor’s Ally plugin puts 400,000 WordPress sites at risk appeared first on VPN Central.