Ally Web Accessibility and Usability WordPress Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Ally – Web Accessibility & Usability plugin for WordPress, affecting all versions through 4.0.3. The issue arises from inadequate escaping of user-supplied URL parameters in the 'get_global_remediations()' method. The vulnerability allows unauthenticated attackers to inject SQL metacharacters into existing SQL queries, potentially leading to the extraction of sensitive database information using time-based blind SQL injection techniques. Exploitation requires the Remediation module to be active, which in turn requires a connection to an Elementor account.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate SQL queries to extract sensitive information from the database. The injection is time-based and blind, meaning the attacker would not see the data returned but could infer it based on the time it takes for the database to respond.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with the Ally – Web Accessibility & Usability plugin installed, version 4.0.3 or earlier. Ensure that the Remediation module is active and the plugin is connected to an Elementor account. Include a crafted URL path that exploits the SQL injection vulnerability by injecting SQL metacharacters into the 'get_global_remediations()' method. The injected SQL can then be used to extract database information via time-based blind SQL injection techniques.

Remediation

Users are advised to update the Ally – Web Accessibility & Usability plugin to version 4.1.0 or later, where this vulnerability has been patched.