好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户的要求是直接写文章描述,不需要以“文章内容总结”之类的开头。 首先,我仔细阅读了这篇文章。文章主要讲的是Ally WordPress插件中的一个SQL注入漏洞,影响超过40万网站。漏洞编号是CVE-2026-2413,CVSS评分7.5,属于高危漏洞。这个漏洞允许攻击者窃取敏感数据,包括密码哈希。 接下来,我需要提取关键信息:插件名称、漏洞类型、影响范围、发现者、修复版本以及漏洞原因。然后,把这些信息浓缩到100字以内。 考虑到用户可能需要简洁明了的信息,我会先列出主要点:Ally插件存在SQL注入漏洞,影响40万+网站,CVSS 7.5分,攻击者可窃取敏感数据如密码哈希。修复版本是4.1.0。 最后,组织语言,确保句子流畅且信息完整。避免使用复杂的术语,让读者一目了然。 </think> Ally WordPress插件存在SQL注入漏洞(CVE-2026-2413),影响超40万网站。该漏洞允许攻击者窃取敏感数据如密码哈希。修复版本为4.1.0。 2026-3-12 13:25:35 Author: securityaffairs.com(查看原文) 阅读量:12 收藏
Critical SQL Injection bug in Ally plugin threatens 400,000+ WordPress sites
An unauthenticated SQL injection flaw (CVE-2026-2413) in the Ally WordPress plugin, used on 400K+ sites, could allow attackers to steal sensitive data.
An unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS score 7.5), in Ally plugin could allow attackers to steal sensitive data. The offensive security engineer Drew Webber at Acquia discovered the vulnerability on February 4, 2026.
Ally (formerly One Click Accessibility) is a free WordPress plugin that helps creators build accessible websites. It offers an accessibility scanner with AI suggestions, a usability widget for visitors, and an automated accessibility statement generator. The plugin is used on over 400,000 WordPress sites.
The flaw could allow attackers to extract sensitive database data, including password hashes. The issue was responsibly reported by Drew Webber through the Wordfence Bug Bounty Program, earning an $800 bounty. Wordfence notified Elementor on February 13, the vendor acknowledged the report on February 15, and released a patch on February 23, 2026.
Users are urged to update to Ally version 4.1.0 to mitigate the risk.
The vulnerability stems from insecure handling of the subscribers query in Ally. The plugin builds a SQL JOIN query using a page URL parameter without using WordPress’ wpdb->prepare() function, which normally escapes and parameterizes queries.
Although esc_url_raw() is used, it does not prevent SQL injection. This flaw allows attackers to inject malicious SQL. By exploiting it with time-based blind SQL injection, using CASE statements and SLEEP() delays, an attacker could gradually extract sensitive information from the database.
“The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3.” reads the advisory published by WordFence. “This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. “
The development team addressed the issue by using the wpdb prepare() function in the JOIN statement.
“The vulnerability has been addressed in version 4.1.0 of the plugin.” concludes the advisory. “We encourage WordPress users to verify that their sites are updated to the latest patched version of Ally as soon as possible considering the critical nature of this vulnerability.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
如有侵权请联系:admin#unsafe.sh