Missing Authorization Vulnerability in e-shot™ Form Builder Plugin for WordPress
CVE-2026-3642

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: E-shot
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-3642?

The e-shot™ Form Builder Plugin for WordPress contains a vulnerability that permits unauthorized modification of form fields by authenticated users. This vulnerability arises from the absence of capability checks and nonce verification in the eshot_form_builder_update_field_data() AJAX handler. Consequently, any user with Subscribe-level access or higher can alter the configurations of form fields, affecting their mandatory status, visibility, and display settings. This lack of access control could lead to potential misuse of forms and data exposure, making updates and proper security practices essential for safeguarding users and maintaining the integrity of forms.

Affected Version(s)

e-shot 0 <= 1.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/e-shot-form-bu...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 6, 2026

Credit

Phong Nguyen

CVE-2026-3642 Data

JSON