Devs Accounting Simple Accounting And Invoicing Solution
Monthly
{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.
Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.
{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.
Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.