CVE-2026-3642
Received Received - Intake
Missing Authorization in e-shot™ WordPress Plugin Allows Privilege Modification

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description
The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3642
EUVD
EUVD-2026-22857
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
form_builder es-hot to 1.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized AJAX requests to the eshot_form_builder_update_field_data action, which is accessible to any authenticated user due to missing authorization checks.

You can check your WordPress logs or use network monitoring tools to identify suspicious POST requests to admin-ajax.php with the action parameter set to eshot_form_builder_update_field_data.

Example command to search web server logs for such requests (assuming Apache logs):

  • grep 'action=eshot_form_builder_update_field_data' /var/log/apache2/access.log

Additionally, you can use WP-CLI or custom scripts to audit changes in form field configurations that might indicate exploitation.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable AJAX handler by implementing proper capability checks and nonce verification.

If a patch or updated version of the e-shot™ form builder plugin is available, update to the latest version that addresses this vulnerability.

As a temporary measure, you can disable or restrict access to the eshot_form_builder_update_field_data AJAX action for users below a trusted role level.

Monitor user roles and permissions to ensure that only trusted users have authenticated access to the WordPress admin area.

Executive Summary

The e-shot™ form builder plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 1.0.2. Specifically, the AJAX handler function eshot_form_builder_update_field_data() does not perform any capability checks or nonce verification. This means that any authenticated user, even those with low-level access such as Subscribers, can access this function.

Because of this lack of authorization checks, these users can modify form field configurations, including changing whether fields are mandatory, their visibility, and how the form is displayed.

Impact Analysis

This vulnerability allows authenticated users with minimal privileges to modify form configurations without proper authorization. This can lead to unauthorized changes in form behavior, such as making mandatory fields optional or hiding important fields, potentially disrupting data collection or user experience.

While it does not directly impact confidentiality or availability, it can affect the integrity of form data and the reliability of the forms used on the website.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access and above to modify form field configurations without proper authorization checks. This could lead to unauthorized changes in form data handling, potentially impacting the integrity and confidentiality of data collected through the forms.

Such unauthorized modifications may affect compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access and integrity to protect personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart