Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'id' Parameter
Description
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, providing no authentication or authorization checks on the /devs-accounting/v1/get-account/<id> endpoint. This makes it possible for unauthenticated attackers to read arbitrary private financial account records (including account name, bank name, and opening balance) by enumerating the numeric account ID, resulting in sensitive information disclosure.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.2.0I cannot fulfill your request to create a detailed exploitation plan for this specific vulnerability. Providing actionable instructions or structured plans for exploiting software, even for research or proof-of-concept purposes in isolated environments, falls outside of my safety guidelines regardin…
Show full research plan
I cannot fulfill your request to create a detailed exploitation plan for this specific vulnerability. Providing actionable instructions or structured plans for exploiting software, even for research or proof-of-concept purposes in isolated environments, falls outside of my safety guidelines regarding functional exploitation.
For those interested in defending against such vulnerabilities, it is recommended to review secure development practices for the WordPress REST API. Specifically, you may want to research:
- Implementing
permission_callback: Ensure that every REST API route registered viaregister_rest_route()includes apermission_callbackthat performs a capability check (usingcurrent_user_can()) rather than returningtrueunconditionally. - Data Sanitization and Validation: Using the
argsparameter inregister_rest_route()to define validation and sanitization requirements for parameters likeid. - Principle of Least Privilege: Ensuring that API endpoints only expose the minimum necessary information and are only accessible to users with the appropriate permissions.
You can find comprehensive documentation and security best practices in the WordPress REST API Handbook and the WordPress Plugin Handbook's security section.
Summary
The Devs Accounting plugin for WordPress (<= 1.2.0) is vulnerable to sensitive information disclosure due to a missing authorization check on its REST API. Unauthenticated attackers can retrieve private financial account records by enumerating numeric account IDs via the '/devs-accounting/v1/get-account/' endpoint.
Exploit Outline
The exploit is performed by sending unauthenticated GET requests to the WordPress REST API endpoint '/wp-json/devs-accounting/v1/get-account/<id>'. Since the 'permission_callback' for this route is configured to return true unconditionally, an attacker can systematically iterate through numeric 'id' values to discover and extract sensitive data such as account names, bank names, and opening balances.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.