Skip to main content

Devs Accounting EUVDEUVD-2026-38677

| CVE-2026-9172 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-3vrh-gvf2-896w
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable via simple GET request, no credentials required, scope unchanged; integrity impact is Low reflecting soft-deletion only, with no confidentiality or availability consequences.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:00 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Devs Accounting - Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.

AnalysisAI

{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Devs Accounting plugin active
Exploit
Request /wp-json/devs-accounting/v1/delete-account/1 with no credentials
Execution
Enumerate valid account IDs via sequential GET requests
Impact
Soft-delete all accounting records in wp_dac_accounts

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site has the Devs Accounting plugin installed and active in version 1.2.0 or earlier, with the WordPress REST API reachable over HTTP/HTTPS - the default configuration for any publicly accessible WordPress installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately characterizes this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for WordPress installations exposing the /wp-json/devs-accounting/v1/delete-account/ endpoint, either through targeted reconnaissance or mass internet scanning. Without any credentials or session tokens, the attacker issues sequential GET requests (e.g., /wp-json/devs-accounting/v1/delete-account/1, /2, /3) to enumerate and soft-delete all accounting account records in the wp_dac_accounts table. …
Remediation No vendor-released patch has been identified at time of analysis - the CPE range covers all versions through 1.2.0 and the Wordfence advisory does not specify a fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy