Skip to main content

Devs Accounting EUVDEUVD-2026-38659

| CVE-2026-9175 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-xwwp-6j8w-c2pm
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

REST API is network-reachable with no authentication or complexity; impact is read-only partial confidentiality with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:59 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Devs Accounting - Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, providing no authentication or authorization checks on the /devs-accounting/v1/get-account/<id> endpoint. This makes it possible for unauthenticated attackers to read arbitrary private financial account records (including account name, bank name, and opening balance) by enumerating the numeric account ID, resulting in sensitive information disclosure.

AnalysisAI

Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin active
Delivery
Send unauthenticated GET to /wp-json/devs-accounting/v1/get-account/1
Exploit
Enumerate sequential numeric account IDs
Execution
Collect financial account records for all IDs
Impact
Exfiltrate account names, bank names, and opening balances

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the plugin being installed and active on a WordPress site - the vulnerable REST API endpoint is registered automatically at plugin activation and is reachable by any unauthenticated user over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, score 5.3 Medium) is accurate and internally consistent: network-reachable, zero complexity, no authentication, no user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker issues unauthenticated HTTP GET requests to https://target-site.com/wp-json/devs-accounting/v1/get-account/1 through /get-account/500, iterating over integer IDs in a simple loop with no credentials required. Each successful response returns the financial account name, bank name, and opening balance stored by the business, enabling complete extraction of all accounting records within seconds. …
Remediation No vendor-released patched version is confirmed in the available input data; the highest tagged release in the WordPress plugin repository referenced is 1.2.0, which is vulnerable. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38659 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy