Description
The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action.
Published: 2026-04-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized alteration of form configuration
Action: Update Plugin
AI Analysis

Impact

The forfront e-shot plugin for WordPress contains an AJAX handler that changes form field settings without checking user capabilities or validating a nonce. Because the handler is registered to the wp_ajax_ hook, any authenticated user, including those with Subscriber-level access or higher, can invoke it. This flaw allows an attacker to modify properties such as whether a field is mandatory, its visibility, or form display options. The vulnerability corresponds to CWE‑862, Missing Authorization.

Affected Systems

WordPress sites that have any version of the forfront e-shot plugin up to and including 1.0.2 are affected. The issue resides in the plugin files admin/class-eshotformbuilder-admin.php and includes/class-eshotformbuilder.php. Site owners should verify the plugin version they have installed and upgrade if it is 1.0.2 or earlier.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity. The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known public exploits at this time. Nevertheless, once an account with any authentication level of Subscriber or higher is compromised, an attacker can readily exercise this vulnerability by sending an AJAX request to the eshot_form_builder_update_field_data action. The lack of authorization checks means the attack does not require any special conditions beyond user authentication.

Generated by OpenCVE AI on April 15, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the e-shot plugin to a version newer than 1.0.2 that implements proper capability checks for the AJAX handler.
  • If an upgrade is not available, modify the plugin to require a higher capability (e.g., administrator) before executing the eshot_form_builder_update_field_data action, or block the AJAX endpoint for non‑admin users using a security plugin or custom code.
  • Add nonce verification to the AJAX request handling, and ensure that only requests with a valid nonce and sufficient capability are processed.

Generated by OpenCVE AI on April 15, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Forfront
Forfront e-shot
Wordpress
Wordpress wordpress
Vendors & Products Forfront
Forfront e-shot
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action.
Title e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Forfront E-shot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T13:39:34.490Z

Reserved: 2026-03-06T16:05:36.669Z

Link: CVE-2026-3642

cve-icon Vulnrichment

Updated: 2026-04-16T13:39:30.433Z

cve-icon NVD

Status : Received

Published: 2026-04-15T09:16:31.550

Modified: 2026-04-15T09:16:31.550

Link: CVE-2026-3642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:20Z

Weaknesses