The vulnerability identified as CVE-2026-3546 affects the forfront e-shot plugin for WordPress, specifically all versions up to and including 1.0.2. The root cause is the insecure implementation of the AJAX handler function eshot_form_builder_get_account_data(), which is registered under the wp_ajax_ hook and accessible to any authenticated user regardless of their privilege level. This function does not perform any capability checks such as current_user_can('manage_options') nor does it verify a nonce to ensure request authenticity. Consequently, any authenticated user, including those with Subscriber-level access, can invoke this AJAX endpoint to retrieve sensitive data directly from the database. The data exposed includes the e-shot API token stored in the eshotformbuilder_control table and all associated subaccount information. Since the API token is a credential that grants access to the e-shot platform, its compromise can lead to unauthorized actions within the victim’s e-shot account, such as data exfiltration or manipulation of marketing campaigns. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3, reflecting a medium severity level primarily due to the requirement for authentication and the limited scope of impact (confidentiality loss only). No patches or official fixes are currently listed, and no known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information, specifically the e-shot API token and subaccount data. This can lead to several downstream risks including unauthorized access to the victim’s e-shot platform account, potential manipulation or theft of marketing data, and disruption of email campaigns. Organizations relying on the e-shot plugin for their marketing automation and communications may face data confidentiality breaches, reputational damage, and potential compliance violations if customer data is involved. Since the vulnerability requires only authenticated access at the Subscriber level, any compromised or malicious low-privilege user account within the WordPress environment can be leveraged to exploit this flaw. This increases the risk in environments with multiple users or where account credentials may be weak or reused. The impact is limited to confidentiality; integrity and availability are not directly affected. However, the exposure of API tokens can facilitate further attacks or unauthorized actions on the e-shot platform, amplifying the overall risk.

1. Immediate mitigation should involve restricting access to the vulnerable AJAX endpoint by implementing proper capability checks, such as verifying that the user has administrative privileges (e.g., current_user_can('manage_options')) before processing the request. 2. Add nonce verification to the AJAX handler to ensure requests are legitimate and originate from authorized users. 3. If possible, update the plugin to a patched version once available from the vendor. In the absence of an official patch, consider temporarily disabling the e-shot plugin or removing the AJAX handler via custom code. 4. Audit user accounts on WordPress sites using this plugin to ensure that Subscriber or other low-privilege accounts are not compromised or unnecessary. 5. Rotate the exposed e-shot API tokens immediately after remediation to invalidate any tokens that may have been leaked. 6. Monitor logs for unusual AJAX requests or suspicious activity related to the eshot_form_builder_get_account_data() endpoint. 7. Educate site administrators about the risks of granting unnecessary user accounts and encourage strong authentication practices to reduce the risk of account compromise.