CVE-2026-3642: CWE-862 Missing Authorization in forfront e-shot
The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action.
AI Analysis
Technical Summary
The e-shot form builder plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) in the eshot_form_builder_update_field_data() AJAX handler. This function is registered via the wp_ajax_ hook but does not perform any capability checks (e.g., current_user_can()) or nonce verification (e.g., check_ajax_referer()). Consequently, any authenticated user, including those with minimal privileges such as Subscribers, can invoke this AJAX action to alter form field configurations, including mandatory status, visibility, and display preferences. The vulnerability affects all versions up to and including 1.0.2. There is no vendor-provided patch or official remediation at this time.
Potential Impact
The vulnerability allows authenticated users with Subscriber-level access or higher to modify form field configurations without proper authorization. This could lead to unauthorized changes in form behavior, potentially disrupting form functionality or user experience. There is no impact on confidentiality or availability reported. The integrity of form configuration data is affected at a low level.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict authenticated user roles to trusted users only and monitor for unauthorized changes to form configurations. Avoid granting unnecessary access to Subscriber-level accounts. No official fix or temporary workaround has been published by the vendor as of now.
CVE-2026-3642: CWE-862 Missing Authorization in forfront e-shot
Description
The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The e-shot form builder plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) in the eshot_form_builder_update_field_data() AJAX handler. This function is registered via the wp_ajax_ hook but does not perform any capability checks (e.g., current_user_can()) or nonce verification (e.g., check_ajax_referer()). Consequently, any authenticated user, including those with minimal privileges such as Subscribers, can invoke this AJAX action to alter form field configurations, including mandatory status, visibility, and display preferences. The vulnerability affects all versions up to and including 1.0.2. There is no vendor-provided patch or official remediation at this time.
Potential Impact
The vulnerability allows authenticated users with Subscriber-level access or higher to modify form field configurations without proper authorization. This could lead to unauthorized changes in form behavior, potentially disrupting form functionality or user experience. There is no impact on confidentiality or availability reported. The integrity of form configuration data is affected at a low level.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict authenticated user roles to trusted users only and monitor for unauthorized changes to form configurations. Avoid granting unnecessary access to Subscriber-level accounts. No official fix or temporary workaround has been published by the vendor as of now.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-06T16:05:36.669Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69df540182d89c981fbdb3dc
Added to database: 4/15/2026, 9:01:53 AM
Last enriched: 4/15/2026, 9:17:45 AM
Last updated: 4/16/2026, 6:23:18 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.