SQL injection flaw in Ally WordPress plugin exposes 200,000+ sites to data theft. Patch released, but most installations remain unpatched and vulnerable.