CVE-2026-9172 in Devs Accounting Plugin
Summary
by MITRE • 06/24/2026
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/24/2026
The vulnerability in the Devs Accounting plugin represents a critical authorization flaw that undermines the integrity of financial data management within WordPress environments. This issue stems from insufficient access control mechanisms within the plugin's REST API implementation, specifically affecting versions through 1.2.0 where proper capability checks are absent from the delete_single_account() function. The exposed REST route devs-accounting/v1/delete-account/(?P\d+) operates without any permission_callback parameter, creating an authentication bypass that allows any unauthenticated user to manipulate accounting records simply by crafting a GET request with a valid account identifier.
The technical exploitation of this vulnerability occurs through the WordPress REST API framework which by default grants public access to endpoints lacking explicit authorization callbacks. When an attacker accesses the vulnerable endpoint with a specific account ID parameter, the system processes the deletion request without verifying whether the requester possesses appropriate administrative privileges or even basic authentication credentials. This architectural oversight transforms what should be a protected administrative function into a publicly accessible data modification interface, effectively enabling unauthorized soft-deletion of accounting records stored in the wp_dac_accounts database table.
The operational impact of this vulnerability extends beyond simple data corruption as it compromises the fundamental financial integrity of organizations relying on the plugin for accounting operations. Attackers can systematically target and remove accounting entries without detection, potentially disrupting financial reporting, tax compliance, and audit trails that organizations depend upon for regulatory adherence and business continuity. The soft-delete functionality means that records aren't permanently removed but rather marked as deleted, which creates a false sense of security while still allowing attackers to manipulate the data structure and potentially interfere with automated accounting processes or financial reconciliation procedures.
This vulnerability aligns with CWE-863 (Incorrect Authorization) and represents a clear violation of the principle of least privilege within web application security frameworks. The ATT&CK framework categorizes this issue under T1078 (Valid Accounts) and T1499 (Endpoint Denial of Service) as attackers can exploit legitimate API endpoints to perform unauthorized modifications. Organizations implementing this plugin face significant risk exposure, particularly in environments where accounting data integrity is paramount for compliance with financial regulations such as SOX or GDPR requirements. The vulnerability demonstrates the critical importance of implementing proper access controls and permission validation within REST API implementations, especially when dealing with sensitive operational data.
Mitigation strategies should prioritize immediate plugin updates to versions that address the authorization flaw, though administrators must also implement additional protective measures such as restricting API endpoint access through firewall rules, implementing rate limiting for API calls, and monitoring for unauthorized access attempts. Network-level protections including web application firewalls and API gateways can provide additional defense-in-depth layers while regular security audits of WordPress plugins should verify proper capability checks are implemented throughout all exposed endpoints. Organizations should also consider implementing comprehensive logging of accounting-related API interactions to detect potential exploitation attempts and maintain audit trails that can help identify unauthorized modifications to financial records.