E-shot Form Builder WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the E-shot Form Builder plugin for WordPress, affecting all versions through 1.0.2. The issue arises in the 'eshot_form_builder_get_account_data' function, which is an AJAX handler accessible to all authenticated users. This function lacks proper capability checks and nonce verification, allowing authenticated attackers with Subscriber-level access and above to retrieve the e-shot API token and subaccount data from the database. The extracted information could be used to access the victim's e-shot platform account.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to access sensitive information, including the e-shot API token and subaccount details, which could be used to compromise the victim's e-shot account.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wp_ajax_eshot_form_builder_get_account_data' AJAX action. The request will return the e-shot API token and subaccount information as a JSON response.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.