CVE-2026-3546

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot form builder get account data() function is registered as a wp ajax AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current user can('manage options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account.