{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3642", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T16:05:36.669Z", "datePublished": "2026-04-15T08:28:14.866Z", "dateUpdated": "2026-04-15T08:28:14.866Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:14.866Z"}, "affected": [{"vendor": "forfront", "product": "e-shot", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The e-shot\u2122 form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action."}], "title": "e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/815bd708-b2f8-4add-901b-863fbb3c4d81?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/admin/class-eshotformbuilder-admin.php#L656"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/admin/class-eshotformbuilder-admin.php#L656"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/includes/class-eshotformbuilder.php#L162"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/includes/class-eshotformbuilder.php#L162"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2026-04-14T19:45:48.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T10:51:24.517345+00:00", "value": {"mitigation_remediation": ["Upgrade the e-shot plugin to a version newer than 1.0.2 that implements proper capability checks for the AJAX handler.", "If an upgrade is not available, modify the plugin to require a higher capability (e.g., administrator) before executing the eshot_form_builder_update_field_data action, or block the AJAX endpoint for non\u2011admin users using a security plugin or custom code.", "Add nonce verification to the AJAX request handling, and ensure that only requests with a valid nonce and sufficient capability are processed."], "summary": {"action": "Update Plugin", "impact": "Unauthorized alteration of form configuration"}, "threat_synthesis": {"affected_systems": "WordPress sites that have any version of the forfront e-shot plugin up to and including 1.0.2 are affected. The issue resides in the plugin files admin/class-eshotformbuilder-admin.php and includes/class-eshotformbuilder.php. Site owners should verify the plugin version they have installed and upgrade if it is 1.0.2 or earlier.", "description_and_impact": "The forfront e-shot plugin for WordPress contains an AJAX handler that changes form field settings without checking user capabilities or validating a nonce. Because the handler is registered to the wp_ajax_ hook, any authenticated user, including those with Subscriber-level access or higher, can invoke it. This flaw allows an attacker to modify properties such as whether a field is mandatory, its visibility, or form display options. The vulnerability corresponds to CWE\u2011862, Missing Authorization.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate severity. The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known public exploits at this time. Nevertheless, once an account with any authentication level of Subscriber or higher is compromised, an attacker can readily exercise this vulnerability by sending an AJAX request to the eshot_form_builder_update_field_data action. The lack of authorization checks means the attack does not require any special conditions beyond user authentication."}}}}, "created": "2026-04-15T13:49:14.863365+00:00", "updated": "2026-04-15T13:49:14.863420+00:00", "vendors": []}