Review: Ally WordPress Plugin Unauthenticated SQL Injection (400k+ Sites) and a Repeatable Response Playbook for WordPress Teams

The Ally plugin incident is the exact class of WordPress risk that causes avoidable firefights: unauthenticated SQL injection on a high-install-base plugin, active exploitation, and a short window between disclosure and broad scanning. This review translates that event into an operations playbook teams can repeat across plugin incidents, not just this one. Incident Snapshot Plugin: Ally (formerly Pojo Accessibility), slug pojo-accessibility . Footprint: 400,000+ active installations at the time of disclosure. Vulnerability class: unauthenticated SQL injection. Public tracking: CVE-2026-2413. Fixed release: 4.1.1. Wordfence reported live exploitation attempts and released a firewall rule before many sites completed plugin updates. Operationally, that is the pattern to plan for: exploit traffic starts before your patch campaign reaches full coverage. What Made This Incident Dangerous The risk was not only SQLi severity. It was the combination of: No authentication required. Large install