CVE-2026-3642

e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

Unpatched

Patched in

N/A

Time to patch

Description

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=1.0.2

PublishedApril 14, 2026

Last updatedApril 15, 2026

Affected plugine-shot-form-builder

Research Plan

Unverified

# Exploitation Research Plan: CVE-2026-3642 (e-shot Form Builder) ## 1. Vulnerability Summary The **e-shot™ form builder** plugin (up to version 1.0.2) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function `eshot_form_builder_update_field_data()` is r…

Show full research plan

Exploitation Research Plan: CVE-2026-3642 (e-shot Form Builder)

1. Vulnerability Summary

The e-shot™ form builder plugin (up to version 1.0.2) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function eshot_form_builder_update_field_data() is registered via the wp_ajax_ hook but fails to implement any capability checks (e.g., current_user_can()) or CSRF protection (nonces). This allows any authenticated user—even those with the lowest permissions like Subscribers—to modify form field configurations, potentially altering form behavior, visibility, and data collection settings across the site.

2. Attack Vector Analysis

Endpoint: /wp-admin/admin-ajax.php
AJAX Action: eshot_form_builder_update_field_data
Method: POST
Authentication: Required (Subscriber level or higher).
Vulnerable Parameter(s): Likely parameters include form identifiers and configuration arrays (e.g., form_id, field_id, status, mandatory, is_visible).
Preconditions: The plugin must be active, and at least one form must exist for modification to be impactful.

3. Code Flow

Entry Point: A user sends a POST request to /wp-admin/admin-ajax.php with action=eshot_form_builder_update_field_data.
Hook Registration: The plugin registers the handler (likely in the main plugin file or an admin/AJAX inclusion file):
```
add_action('wp_ajax_eshot_form_builder_update_field_data', 'eshot_form_builder_update_field_data');
```
Execution: WordPress invokes eshot_form_builder_update_field_data().
Vulnerable Sink: The function reads data directly from $_POST. Because it lacks current_user_can() and check_ajax_referer(), it proceeds to update the form configuration in the database (likely using update_post_meta() if forms are CPTs, or update_option()).

4. Nonce Acquisition Strategy

According to the vulnerability description, this endpoint lacks nonce verification. Therefore, no nonce is required to exploit the vulnerability.

If a nonce check were present but misconfigured, the strategy would be:

Identify where the plugin localizes its AJAX variables (search for wp_localize_script).
Create a page with the e-shot form shortcode (likely [eshot_form id="..."]).
Navigate to that page as an authenticated user.
Extract the nonce from the JS object (e.g., window.eshot_vars.nonce).

Note: For this specific CVE, we proceed assuming no nonce is needed.

5. Exploitation Strategy

Step 1: Authentication

Step 2: Target Identification

Determine the ID of an existing form. (In a test environment, we will create one).

Step 3: Payload Construction

Construct a POST request to modify a specific field's mandatory status or visibility.

Request Details:

URL: http://<target>/wp-admin/admin-ajax.php
Header: Content-Type: application/x-www-form-urlencoded
Body:
```
action=eshot_form_builder_update_field_data&form_id=[ID]&field_id=[FIELD_KEY]&mandatory=1&is_visible=0
```
(Note: Exact parameter names like field_id, mandatory, and is_visible are inferred based on the function name and description; these will be verified during initial source code inspection by the agent.)

Step 4: Execution

Send the request using the http_request tool.

6. Test Data Setup

Install Plugin: Ensure e-shot-form-builder version 1.0.2 is installed.
Create Admin Form: As an admin, create a sample form with at least one text field.
- Example: wp post create --post_type=eshot_form --post_title="Contact Us" --post_status=publish (assuming eshot_form CPT).
Create Subscriber:
- wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
Identify Form ID: Use wp post list --post_type=eshot_form to get the target ID.

7. Expected Results

The AJAX request should return a successful status (likely 200 OK or a JSON success message).
The targeted form configuration in the database will be updated.
When an admin views the form builder in the backend, the modified settings (e.g., a field being hidden or marked mandatory) will be reflected.

8. Verification Steps

Database Check: Use WP-CLI to inspect the post meta of the modified form:
```
wp post meta list [FORM_ID]
```
Verify that the field data reflects the malicious changes sent in the AJAX request.
UI Verification: Log in as admin and navigate to the e-shot Form Builder settings for that form to see if the changes are visible in the editor.

9. Alternative Approaches

If eshot_form_builder_update_field_data requires a specific data structure (like a nested array or JSON string):

JSON Payload: Try sending the data as a JSON string in a data parameter:
action=eshot_form_builder_update_field_data&form_id=1&data={"field_1":{"mandatory":"true"}}
Global Settings: If the function updates global plugin options rather than specific forms, check wp option get for keys starting with eshot_.
Action Guessing: If the action name is slightly different (e.g., update_form_settings), use grep -r "wp_ajax_" . inside the plugin directory to find the exact hook name.

Research Findings

Static analysis — not yet PoC-verified

Summary

The e-shot™ form builder plugin for WordPress is vulnerable to unauthorized form configuration changes due to a lack of capability checks and nonce verification in its AJAX handler. This allows authenticated users with Subscriber-level access or higher to modify field settings, visibility, and mandatory requirements for existing forms.

Security Fix

--- a/e-shot-form-builder.php
+++ b/e-shot-form-builder.php
@@ -10,4 +10,9 @@
 function eshot_form_builder_update_field_data() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Forbidden', 403 );
+    }
+    check_ajax_referer( 'eshot_form_builder_nonce', 'security' );
+ 
     $form_id = $_POST['form_id'];

Exploit Outline

An attacker authenticates as a Subscriber and identifies a target form ID. They send a POST request to /wp-admin/admin-ajax.php with action=eshot_form_builder_update_field_data, providing the form_id and new configuration values (such as setting mandatory=1 or is_visible=0). Since the plugin lacks authorization checks and nonce verification, it processes the request and modifies the form's configuration in the database.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/815bd708-b2f8-4add-901b-863fbb3c4d81?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database