Description
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Patch
AI Analysis

Impact

The e-shot form builder plugin for WordPress contains an issue where the function eshot_form_builder_get_account_data is exposed as an AJAX handler to all logged‑in users. The code does not perform any capability verification or nonce validation and reads the API token and subaccount data directly from the database, returning it as JSON. This allows an attacker who can log in as a Subscriber or higher to obtain credentials that could be used to compromise the victim’s e‑shot platform account. The weakness reflects the improper validation of user authority (CWE-202).

Affected Systems

WordPress sites that have the Form Builder for e‑shot plugin installed with version 1.0.2 or any earlier release are affected. The vulnerability applies to all authenticated users, including those with Subscriber level access. All sites that rely on this plugin and have not upgraded beyond this release should review their configuration.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability. An attacker only needs to be logged into the site with Subscriber or higher privileges, a common role for many users, and can simply invoke the AJAX endpoint to retrieve the token. Because the exploit requires no additional credentials and the code performs no security checks, the risk of compromise is considered high for any exposed token. EPSS information is not available, and the vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, but its ease of exploitation makes it a worthwhile concern for administrators.

Generated by OpenCVE AI on March 21, 2026 at 07:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the e‑shot plugin to a version newer than 1.0.2 when it becomes available.
  • If an update is not immediately available, modify or disable the eshot_form_builder_get_account_data AJAX handler so that it requires the 'manage_options' capability or higher.
  • Review other AJAX actions in the plugin to ensure they also enforce proper capability checks and monitor site logs for attempts to call the vulnerable endpoint.

Generated by OpenCVE AI on March 21, 2026 at 07:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Forfront
Forfront e-shot
Wordpress
Wordpress wordpress
Vendors & Products Forfront
Forfront e-shot
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account.
Title e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action
Weaknesses CWE-202
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Forfront E-shot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:13.518Z

Reserved: 2026-03-04T18:26:18.273Z

Link: CVE-2026-3546

cve-icon Vulnrichment

Updated: 2026-03-24T13:53:51.901Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:27.713

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:53Z

Weaknesses