CVE Catalog

CVE-2026-9172

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile - higher than 13% of all known CVEs

Summary

The Devs Accounting plugin for WordPress up to version 1.2.0 contains a vulnerability allowing unauthorized data deletion. Missing capability check in the delete_single_account() function and lack of permission_callback in the REST route registration allow unauthenticated attackers to delete arbitrary accounting account records via a simple GET request.

Risk Assessment

The risk is that an unauthenticated attacker can delete arbitrary accounting account records, potentially leading to loss of financial data and compromise of the organization's accounting system integrity.

Recommendation

Immediately update the Devs Accounting plugin to the latest available version that fixes the vulnerability. If no update is available, temporarily disable the plugin or block access to the REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' using Web Application Firewall (WAF) rules.

Original NVD description (English source)

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS