CVE-2026-3546

Name of the Vulnerable Software and Affected Versions e-shot form builder plugin for WordPress versions up to and including 1.0.2

Description The e-shot form builder plugin for WordPress is susceptible to exposure of sensitive information. The eshot form builder get account data() function, registered as a wp ajax AJAX handler, does not include appropriate capability checks or nonce verification. This allows authenticated attackers with Subscriber-level access or higher to query the database and retrieve the e-shot API token stored in the eshotformbuilder control table, along with all subaccount data, as a JSON response. This information could be used to access the victim's e-shot platform account.

Recommendations Versions prior to and including 1.0.2 should be updated to a newer, fixed version when available. As a temporary workaround, consider removing the AJAX handler for the eshot form builder get account data() function. Restrict access to the eshotformbuilder control table to authorized users only.