CVE-2026-9172

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete single account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?Pd+)' is registered without any permission callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp dac accounts) by issuing a simple GET request to the endpoint with any account ID.