Attack Vectors

e-shot (WordPress plugin slug: e-shot-form-builder) versions up to and including 1.0.2 contain a Medium-severity vulnerability (CVSS 5.3) tracked as CVE-2026-3546. The issue involves a missing authorization check that allows any authenticated WordPress user (including low-privilege roles such as Subscriber) to access sensitive account data.

The exposure occurs through the plugin’s AJAX handler eshot_form_builder_get_account_data, which is registered in a way that is accessible to authenticated users and does not enforce a capability check (for example, restricting access to administrators) and does not verify a nonce. In practical terms, if an attacker gains or already has a basic login to your site (through credential reuse, phishing, a shared account, or an overly broad user-creation process), they may be able to request data they should not be able to see.

Because this is an AJAX endpoint, exploitation can be carried out remotely over the network without requiring a victim to click anything (as reflected by the vulnerability’s CVSS characteristics). This elevates risk for organizations with many user accounts, external collaborators, or sites where “Subscriber” access is granted for gated content, events, or communities.

Security Weakness

The core weakness is missing authorization for a sensitive function. The plugin function eshot_form_builder_get_account_data() is exposed via a WordPress AJAX action and lacks both (1) a capability check (such as confirming the requester has admin-level permissions) and (2) nonce validation to ensure the request is intended and authorized.

According to the published details, the function directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with subaccount data in a JSON response. This is a classic “sensitive information exposure” scenario: a secret (the API token) is retrievable by users who should not have access.

At the time of writing, the referenced advisory indicates no known patch is available. That means risk decisions must focus on mitigation and/or replacement rather than waiting for a confirmed vendor fix.

Technical or Business Impacts

If the e-shot API token is exposed, the business risk extends beyond your WordPress site. API tokens are typically used to authenticate to third-party services; if obtained by an unauthorized user, they can enable unauthorized access to data or actions within the connected e-shot account and its subaccounts (exact downstream impact depends on what that token is permitted to do).

From a leadership and compliance perspective, likely impacts include:

Data exposure risk: Subaccount data returned by the endpoint may contain business-sensitive information. If your organization operates under privacy or contractual obligations, this can trigger incident response requirements and stakeholder notifications depending on what data is involved.

Brand and customer trust risk: Marketing and communications teams often manage integrations that touch customer contact workflows. Unauthorized access to account details can undermine trust, disrupt campaigns, and create reputational damage if customers perceive a lack of control over data access.

Operational and financial risk: If the token is used to access or manipulate external systems, the fallout can include campaign disruption, unexpected usage costs, and time spent on containment (rotating tokens, auditing access, and validating that no downstream misuse occurred).

Recommended action given no known patch: Based on the advisory, consider uninstalling e-shot and replacing it with an alternative plugin or approach that has a stronger security posture. If immediate removal is not feasible, reduce exposure by limiting authenticated user accounts to only those who truly need them, auditing who has logins (including “Subscriber” users), and monitoring for suspicious AJAX requests and unusual account behavior.

Similar attacks (real examples): Unauthorized access flaws and token/secret leakage in widely used tools have led to major incidents, including Uber’s 2022 breach update involving credential/token access paths, and the Cloudbleed incident where sensitive data was unintentionally exposed. While the root causes differ, the shared lesson is consistent: exposed secrets and access mechanisms can quickly become business-impacting events.