Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable via simple GET request, no credentials required, scope unchanged; integrity impact is Low reflecting soft-deletion only, with no confidentiality or availability consequences.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Devs Accounting - Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.
AnalysisAI
{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target WordPress site has the Devs Accounting plugin installed and active in version 1.2.0 or earlier, with the WordPress REST API reachable over HTTP/HTTPS - the default configuration for any publicly accessible WordPress installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately characterizes this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for WordPress installations exposing the /wp-json/devs-accounting/v1/delete-account/ endpoint, either through targeted reconnaissance or mass internet scanning. Without any credentials or session tokens, the attacker issues sequential GET requests (e.g., /wp-json/devs-accounting/v1/delete-account/1, /2, /3) to enumerate and soft-delete all accounting account records in the wp_dac_accounts table. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the CPE range covers all versions through 1.2.0 and the Wordfence advisory does not specify a fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38677
GHSA-3vrh-gvf2-896w