CVE-2026-9175
Received Received - Intake
Missing Authorization in Devs Accounting WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, providing no authentication or authorization checks on the /devs-accounting/v1/get-account/<id> endpoint. This makes it possible for unauthenticated attackers to read arbitrary private financial account records (including account name, bank name, and opening balance) by enumerating the numeric account ID, resulting in sensitive information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-9175
EUVD
EUVD-2026-38659
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devs_accounting simple_accounting_and_invoicing_solution to 1.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress, specifically in all versions up to and including 1.2.0. It is caused by the get_single_account() REST API callback being registered with a permission_callback that always returns true, meaning there are no authentication or authorization checks on the endpoint /devs-accounting/v1/get-account/<id>. As a result, unauthenticated attackers can access and read private financial account records by guessing or enumerating the numeric account ID.

  • Unauthenticated attackers can retrieve sensitive information such as account name, bank name, and opening balance.
  • The vulnerability leads to sensitive information disclosure without requiring any user authentication.
Impact Analysis

This vulnerability can impact you by exposing sensitive financial information stored in the plugin to unauthorized parties. Attackers can access private account details such as account names, bank names, and opening balances without any authentication.

  • Loss of confidentiality of private financial data.
  • Potential privacy violations due to unauthorized data disclosure.
  • Increased risk of fraud or identity theft if attackers misuse the exposed financial information.
Detection Guidance

This vulnerability can be detected by checking if the /devs-accounting/v1/get-account/<id> REST API endpoint is accessible without authentication or authorization.

One way to detect it is to attempt to enumerate numeric account IDs by sending HTTP GET requests to the endpoint and observing if private financial account data is returned without requiring credentials.

  • Use curl commands to test access, for example: curl -X GET https://your-wordpress-site.com/wp-json/devs-accounting/v1/get-account/1
  • Repeat the curl command with different numeric IDs to see if sensitive data is disclosed.
Mitigation Strategies

Immediate mitigation steps include updating the Devs Accounting – Simple Accounting and Invoicing Solution plugin to a version later than 1.2.0 where the vulnerability is fixed.

If an update is not immediately available, restrict access to the vulnerable REST API endpoint by implementing authentication or IP-based access controls on the /devs-accounting/v1/get-account/<id> endpoint.

Additionally, monitor your logs for any unauthorized access attempts to this endpoint and consider temporarily disabling the plugin if sensitive data exposure is a critical concern.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart