CVE-2026-9172
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
The Devs Accounting plugin for WordPress up to version 1.2.0 contains a vulnerability allowing unauthorized data deletion. Missing capability check in the delete_single_account() function and lack of permission_callback in the REST route registration allow unauthenticated attackers to delete arbitrary accounting account records via a simple GET request.
Risk Assessment
The risk is that an unauthenticated attacker can delete arbitrary accounting account records, potentially leading to loss of financial data and compromise of the organization's accounting system integrity.
Recommendation
Immediately update the Devs Accounting plugin to the latest available version that fixes the vulnerability. If no update is available, temporarily disable the plugin or block access to the REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' using Web Application Firewall (WAF) rules.
Original NVD description (English source)
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.

