CVE-2026-9175 in Devs Accounting Plugin
Summary
by MITRE • 06/24/2026
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, providing no authentication or authorization checks on the /devs-accounting/v1/get-account/ endpoint. This makes it possible for unauthenticated attackers to read arbitrary private financial account records (including account name, bank name, and opening balance) by enumerating the numeric account ID, resulting in sensitive information disclosure.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/24/2026
The Devs Accounting plugin for WordPress represents a significant security vulnerability through its improper authorization mechanisms within the REST API implementation. This weakness affects all versions up to and including 1.2.0, creating a critical exposure that undermines the fundamental security principles of access control and data protection. The vulnerability manifests in the get_single_account() REST API callback function which lacks proper authentication checks, allowing any unauthenticated user to access sensitive financial information through direct API endpoint exploitation.
The technical flaw resides in the permission_callback implementation for the /devs-accounting/v1/get-account/ endpoint where the authorization logic fails to validate user credentials or roles before granting access to private account data. This design decision effectively removes all barriers between potential attackers and confidential financial records, as the callback function unconditionally returns true regardless of the requester's authentication status. The vulnerability operates under the CWE-863 principle of "Incorrect Authorization" where the system fails to properly verify that an actor is authorized to perform a requested operation.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass potential financial fraud and data breaches. Attackers can systematically enumerate account IDs to access multiple private financial records, including sensitive details such as account names, bank institutions, and opening balances. This comprehensive exposure provides malicious actors with sufficient financial intelligence to potentially exploit further vulnerabilities or conduct targeted attacks against the affected organization's financial systems. The vulnerability aligns with ATT&CK technique T1213.002 for Data from Information Repositories, enabling unauthorized access to stored financial data through API exploitation.
The security implications of this missing authorization check represent a critical failure in the principle of least privilege, where sensitive financial data remains accessible to any user without proper authentication verification. This flaw allows attackers to bypass normal access controls and directly query private account information through the REST API interface, creating an attack surface that should remain restricted to authenticated administrators or authorized personnel only.
Mitigation strategies should immediately address this authorization gap by implementing proper permission checks within the REST API callback function. The plugin developers must ensure that all sensitive endpoints require valid authentication tokens and appropriate user roles before granting access to financial data. Security measures should include validating user credentials through WordPress's built-in authentication system, implementing role-based access controls, and establishing proper input validation for account ID parameters. Additionally, regular security audits of API implementations should verify that all endpoints properly enforce authorization checks to prevent similar vulnerabilities from emerging in future releases.
The vulnerability demonstrates the critical importance of proper API security implementation within WordPress plugins, where REST API endpoints can become attack vectors if not properly secured. Organizations using this plugin should immediately update to patched versions or implement temporary workarounds such as disabling the affected API endpoint until proper authorization controls are established. The incident highlights the need for comprehensive security testing of plugin components and adherence to secure coding practices that prevent unauthorized access to sensitive data through API interfaces.
This security flaw represents a fundamental breach in the trust model of the WordPress ecosystem, where plugins can inadvertently expose sensitive information due to inadequate authorization checks. The vulnerability serves as a reminder that even seemingly simple accounting applications must implement robust security controls when handling financial data through accessible APIs. Proper implementation of authorization mechanisms should follow industry best practices and security frameworks that ensure only authenticated users with appropriate privileges can access confidential information stored within WordPress plugins and their associated databases.