Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
REST API is network-reachable with no authentication or complexity; impact is read-only partial confidentiality with no integrity or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Devs Accounting - Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, providing no authentication or authorization checks on the /devs-accounting/v1/get-account/<id> endpoint. This makes it possible for unauthenticated attackers to read arbitrary private financial account records (including account name, bank name, and opening balance) by enumerating the numeric account ID, resulting in sensitive information disclosure.
AnalysisAI
Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond the plugin being installed and active on a WordPress site - the vulnerable REST API endpoint is registered automatically at plugin activation and is reachable by any unauthenticated user over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, score 5.3 Medium) is accurate and internally consistent: network-reachable, zero complexity, no authentication, no user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker issues unauthenticated HTTP GET requests to https://target-site.com/wp-json/devs-accounting/v1/get-account/1 through /get-account/500, iterating over integer IDs in a simple loop with no credentials required. Each successful response returns the financial account name, bank name, and opening balance stored by the business, enabling complete extraction of all accounting records within seconds. … |
| Remediation | No vendor-released patched version is confirmed in the available input data; the highest tagged release in the WordPress plugin repository referenced is 1.2.0, which is vulnerable. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38659
GHSA-xwwp-6j8w-c2pm