CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot form builder update field data() AJAX handler lacks any capability checks (current user can()) or nonce verification (check ajax referer()/wp verify nonce()). The function is registered via the wp ajax hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot form builder update field data AJAX action.