[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuJbvZdnHu5s1EIbY5ZmNMjAQ7ChdIYpZRyEt67Y-pQg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":30},"CVE-2026-3642","e-shot-missing-authorization-to-authenticated-subscriber-form-settings-modification-via-ajax","e-shot \u003C= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX","The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()\u002Fwp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action.","e-shot-form-builder",null,"\u003C=1.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-14 19:45:48","2026-04-15 08:28:14",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F815bd708-b2f8-4add-901b-863fbb3c4d81?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3642 (e-shot Form Builder)\n\n## 1. Vulnerability Summary\nThe **e-shot™ form builder** plugin (up to version 1.0.2) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function `eshot_form_builder_update_field_data()` is registered via the `wp_ajax_` hook but fails to implement any capability checks (e.g., `current_user_can()`) or CSRF protection (nonces). This allows any authenticated user—even those with the lowest permissions like **Subscribers**—to modify form field configurations, potentially altering form behavior, visibility, and data collection settings across the site.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `eshot_form_builder_update_field_data`\n- **Method:** POST\n- **Authentication:** Required (Subscriber level or higher).\n- **Vulnerable Parameter(s):** Likely parameters include form identifiers and configuration arrays (e.g., `form_id`, `field_id`, `status`, `mandatory`, `is_visible`).\n- **Preconditions:** The plugin must be active, and at least one form must exist for modification to be impactful.\n\n## 3. Code Flow\n1. **Entry Point:** A user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with `action=eshot_form_builder_update_field_data`.\n2. **Hook Registration:** The plugin registers the handler (likely in the main plugin file or an admin\u002FAJAX inclusion file):\n   ```php\n   add_action('wp_ajax_eshot_form_builder_update_field_data', 'eshot_form_builder_update_field_data');\n   ```\n3. **Execution:** WordPress invokes `eshot_form_builder_update_field_data()`.\n4. **Vulnerable Sink:** The function reads data directly from `$_POST`. Because it lacks `current_user_can()` and `check_ajax_referer()`, it proceeds to update the form configuration in the database (likely using `update_post_meta()` if forms are CPTs, or `update_option()`).\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this endpoint **lacks nonce verification**. Therefore, no nonce is required to exploit the vulnerability.\n\nIf a nonce check were present but misconfigured, the strategy would be:\n1. Identify where the plugin localizes its AJAX variables (search for `wp_localize_script`).\n2. Create a page with the e-shot form shortcode (likely `[eshot_form id=\"...\"]`).\n3. Navigate to that page as an authenticated user.\n4. Extract the nonce from the JS object (e.g., `window.eshot_vars.nonce`).\n\n*Note: For this specific CVE, we proceed assuming no nonce is needed.*\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLog in as a Subscriber user to obtain a session cookie.\n\n### Step 2: Target Identification\nDetermine the ID of an existing form. (In a test environment, we will create one).\n\n### Step 3: Payload Construction\nConstruct a POST request to modify a specific field's mandatory status or visibility.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Header:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=eshot_form_builder_update_field_data&form_id=[ID]&field_id=[FIELD_KEY]&mandatory=1&is_visible=0\n  ```\n  *(Note: Exact parameter names like `field_id`, `mandatory`, and `is_visible` are inferred based on the function name and description; these will be verified during initial source code inspection by the agent.)*\n\n### Step 4: Execution\nSend the request using the `http_request` tool.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `e-shot-form-builder` version 1.0.2 is installed.\n2. **Create Admin Form:** As an admin, create a sample form with at least one text field.\n   - Example: `wp post create --post_type=eshot_form --post_title=\"Contact Us\" --post_status=publish` (assuming `eshot_form` CPT).\n3. **Create Subscriber:**\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n4. **Identify Form ID:** Use `wp post list --post_type=eshot_form` to get the target ID.\n\n## 7. Expected Results\n- The AJAX request should return a successful status (likely `200 OK` or a JSON success message).\n- The targeted form configuration in the database will be updated.\n- When an admin views the form builder in the backend, the modified settings (e.g., a field being hidden or marked mandatory) will be reflected.\n\n## 8. Verification Steps\n1. **Database Check:** Use WP-CLI to inspect the post meta of the modified form:\n   ```bash\n   wp post meta list [FORM_ID]\n   ```\n   Verify that the field data reflects the malicious changes sent in the AJAX request.\n2. **UI Verification:** Log in as admin and navigate to the e-shot Form Builder settings for that form to see if the changes are visible in the editor.\n\n## 9. Alternative Approaches\nIf `eshot_form_builder_update_field_data` requires a specific data structure (like a nested array or JSON string):\n- **JSON Payload:** Try sending the data as a JSON string in a `data` parameter:\n  `action=eshot_form_builder_update_field_data&form_id=1&data={\"field_1\":{\"mandatory\":\"true\"}}`\n- **Global Settings:** If the function updates global plugin options rather than specific forms, check `wp option get` for keys starting with `eshot_`.\n- **Action Guessing:** If the action name is slightly different (e.g., `update_form_settings`), use `grep -r \"wp_ajax_\" .` inside the plugin directory to find the exact hook name.","The e-shot™ form builder plugin for WordPress is vulnerable to unauthorized form configuration changes due to a lack of capability checks and nonce verification in its AJAX handler. This allows authenticated users with Subscriber-level access or higher to modify field settings, visibility, and mandatory requirements for existing forms.","--- a\u002Fe-shot-form-builder.php\n+++ b\u002Fe-shot-form-builder.php\n@@ -10,4 +10,9 @@\n function eshot_form_builder_update_field_data() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Forbidden', 403 );\n+    }\n+    check_ajax_referer( 'eshot_form_builder_nonce', 'security' );\n+ \n     $form_id = $_POST['form_id'];","An attacker authenticates as a Subscriber and identifies a target form ID. They send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with action=eshot_form_builder_update_field_data, providing the form_id and new configuration values (such as setting mandatory=1 or is_visible=0). Since the plugin lacks authorization checks and nonce verification, it processes the request and modifies the form's configuration in the database.","gemini-3-flash-preview","2026-04-16 15:41:36","2026-04-16 15:41:53",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fe-shot-form-builder\u002Ftags"]