{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3546", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T18:26:18.273Z", "datePublished": "2026-03-21T03:26:56.419Z", "dateUpdated": "2026-04-08T17:10:13.518Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:13.518Z"}, "affected": [{"vendor": "forfront", "product": "e-shot", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account."}], "title": "e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965bb642-4472-491f-8378-f4331ba4ab7c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/admin/class-eshotformbuilder-admin.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/admin/class-eshotformbuilder-admin.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/includes/class-eshotformbuilder.php#L163"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/includes/class-eshotformbuilder.php#L163"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-202 Exposure of Sensitive Information Through Data Queries", "cweId": "CWE-202", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2026-03-20T15:09:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:53:11.893222Z", "id": "CVE-2026-3546", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:53:55.424Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3546", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:53:11.893222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:53:51.901Z"}}], "cna": {"title": "e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "forfront", "product": "e-shot", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:09:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965bb642-4472-491f-8378-f4331ba4ab7c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/admin/class-eshotformbuilder-admin.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/admin/class-eshotformbuilder-admin.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/includes/class-eshotformbuilder.php#L163"}, {"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/includes/class-eshotformbuilder.php#L163"}], "descriptions": [{"lang": "en", "value": "The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-202", "description": "CWE-202 Exposure of Sensitive Information Through Data Queries"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:56.419Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3546", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:53:55.424Z", "dateReserved": "2026-03-04T18:26:18.273Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:56.419Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account."}, {"lang": "es", "value": "El plugin e-shot form builder para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 1.0.2, inclusive. La funci\u00f3n eshot_form_builder_get_account_data() est\u00e1 registrada como un gestor AJAX wp_ajax_ accesible para todos los usuarios autenticados. La funci\u00f3n carece de cualquier verificaci\u00f3n de capacidad (p. ej., current_user_can('manage_options')) y no verifica un nonce. Consulta directamente la base de datos para el token de la API de e-shot almacenado en la tabla eshotformbuilder_control y lo devuelve junto con todos los datos de la subcuenta como una respuesta JSON. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, extraigan el token de la API de e-shot y la informaci\u00f3n de la subcuenta, lo que podr\u00eda usarse para acceder a la cuenta de la plataforma e-shot de la v\u00edctima."}], "id": "CVE-2026-3546", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:27.713", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/admin/class-eshotformbuilder-admin.php#L567"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/includes/class-eshotformbuilder.php#L163"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/admin/class-eshotformbuilder-admin.php#L567"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/includes/class-eshotformbuilder.php#L163"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965bb642-4472-491f-8378-f4331ba4ab7c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-202"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "e-shot", "source": "cna", "vendor": "forfront"}, "product": "e-shot", "vendor": "forfront"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:14:38.217733+00:00", "value": {"mitigation_remediation": ["Update the e\u2011shot plugin to a version newer than 1.0.2 when it becomes available. ", "If an update is not immediately available, modify or disable the eshot_form_builder_get_account_data AJAX handler so that it requires the 'manage_options' capability or higher. ", "Review other AJAX actions in the plugin to ensure they also enforce proper capability checks and monitor site logs for attempts to call the vulnerable endpoint."], "summary": {"action": "Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Form Builder for e\u2011shot plugin installed with version 1.0.2 or any earlier release are affected. The vulnerability applies to all authenticated users, including those with Subscriber level access. All sites that rely on this plugin and have not upgraded beyond this release should review their configuration.", "description_and_impact": "The e-shot form builder plugin for WordPress contains an issue where the function eshot_form_builder_get_account_data is exposed as an AJAX handler to all logged\u2011in users. The code does not perform any capability verification or nonce validation and reads the API token and subaccount data directly from the database, returning it as JSON. This allows an attacker who can log in as a Subscriber or higher to obtain credentials that could be used to compromise the victim\u2019s e\u2011shot platform account. The weakness reflects the improper validation of user authority (CWE-202).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity vulnerability. An attacker only needs to be logged into the site with Subscriber or higher privileges, a common role for many users, and can simply invoke the AJAX endpoint to retrieve the token. Because the exploit requires no additional credentials and the code performs no security checks, the risk of compromise is considered high for any exposed token. EPSS information is not available, and the vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, but its ease of exploitation makes it a worthwhile concern for administrators."}}}}, "created": "2026-03-23T09:50:12.251923+00:00", "updated": "2026-03-25T14:41:53.254018+00:00", "vendors": ["forfront", "forfront$PRODUCT$e-shot", "wordpress", "wordpress$PRODUCT$wordpress"]}