CVE-2026-3642
Missing Authorization in e-shot™ WordPress Plugin Allows Privilege Modification
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| form_builder | es-hot | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The e-shot™ form builder plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 1.0.2. Specifically, the AJAX handler function eshot_form_builder_update_field_data() does not perform any capability checks or nonce verification. This means that any authenticated user, even those with low-level access such as Subscribers, can access this function.
Because of this lack of authorization checks, these users can modify form field configurations, including changing whether fields are mandatory, their visibility, and how the form is displayed.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with minimal privileges to modify form configurations without proper authorization. This can lead to unauthorized changes in form behavior, such as making mandatory fields optional or hiding important fields, potentially disrupting data collection or user experience.
While it does not directly impact confidentiality or availability, it can affect the integrity of form data and the reliability of the forms used on the website.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Subscriber-level access and above to modify form field configurations without proper authorization checks. This could lead to unauthorized changes in form data handling, potentially impacting the integrity and confidentiality of data collected through the forms.
Such unauthorized modifications may affect compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access and integrity to protect personal and sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests to the eshot_form_builder_update_field_data action, which is accessible to any authenticated user due to missing authorization checks.
You can check your WordPress logs or use network monitoring tools to identify suspicious POST requests to admin-ajax.php with the action parameter set to eshot_form_builder_update_field_data.
Example command to search web server logs for such requests (assuming Apache logs):
- grep 'action=eshot_form_builder_update_field_data' /var/log/apache2/access.log
Additionally, you can use WP-CLI or custom scripts to audit changes in form field configurations that might indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable AJAX handler by implementing proper capability checks and nonce verification.
If a patch or updated version of the e-shot™ form builder plugin is available, update to the latest version that addresses this vulnerability.
As a temporary measure, you can disable or restrict access to the eshot_form_builder_update_field_data AJAX action for users below a trusted role level.
Monitor user roles and permissions to ensure that only trusted users have authenticated access to the WordPress admin area.