CVE-2026-9172
Received Received - Intake
Unauthenticated Data Deletion in Devs Accounting WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-9172
EUVD
EUVD-2026-38677
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devs_accounting simple_accounting_and_invoicing_solution to 1.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress has a vulnerability in versions up to and including 1.2.0. This vulnerability arises because the delete_single_account() function lacks a capability check, and the REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission callback. As a result, this endpoint is publicly accessible without authentication.

This means that an unauthenticated attacker can send a simple GET request to this endpoint with any account ID and cause the soft deletion of arbitrary accounting account records in the wp_dac_accounts database table.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify (soft-delete) accounting account records without authorization. This could lead to loss or alteration of important financial data, potentially disrupting accounting and invoicing operations.

Although the vulnerability does not allow data disclosure or deletion of the entire database, the unauthorized modification of accounting records can impact business operations and data integrity.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized GET requests to the REST API endpoint 'devs-accounting/v1/delete-account/<id>' where <id> is any account ID. Since the endpoint is publicly accessible without authentication, any such requests could indicate exploitation attempts.

To detect this on your system, you can check your web server or WordPress access logs for GET requests matching the pattern '/wp-json/devs-accounting/v1/delete-account/'.

  • Use grep to search logs: grep "/wp-json/devs-accounting/v1/delete-account/" /path/to/access.log
  • Use network monitoring tools to detect suspicious GET requests to the vulnerable REST route.
Mitigation Strategies

Immediate mitigation steps include updating the Devs Accounting plugin to a version later than 1.2.0 where the vulnerability is fixed.

If an update is not immediately available, restrict access to the vulnerable REST API endpoint by implementing authentication or firewall rules to block unauthenticated requests to the route 'devs-accounting/v1/delete-account/'.

Additionally, monitor logs for suspicious activity and consider temporarily disabling the plugin if possible until a patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart