Overview
- The accessibility plugin has over 400,000 active installs, and WordPress.org data shows only about 36% have updated, leaving more than 200,000—potentially over 250,000—sites exposed.
- The flaw enables unauthenticated, time‑based blind SQL injection via the URL path to extract sensitive database data, including password hashes.
- The issue stems from concatenating a user-supplied URL parameter into a JOIN query without wpdb->prepare(), and the vendor added parameterized queries in the 4.1.0 release to remediate it.
- Exploitation is feasible only when the plugin is connected to an Elementor account with the Remediation module active, narrowing but not eliminating the risk.
- Researcher Drew Webber reported the bug through Wordfence’s program and received an $800 bounty, and coverage cites conflicting CVE IDs for the flaw (CVE‑2026‑2313 vs CVE‑2026‑2413).