Description
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any mechanism to authenticate that incoming webhook requests genuinely originate from the legitimate Appmax payment service. The plugin directly processes untrusted attacker-controlled input from the 'event' and 'data' parameters without verifying the webhook's authenticity. This makes it possible for unauthenticated attackers to craft malicious webhook payloads that can modify the status of existing WooCommerce orders (e.g., changing them to processing, refunded, cancelled, or pending), create entirely new WooCommerce orders with arbitrary data, create new WooCommerce products with attacker-controlled names/descriptions/prices, and write arbitrary values to order post metadata by spoofing legitimate webhook events.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Order Manipulation
Action: Patch
AI Analysis

Impact

The Appmax WordPress plugin lacks proper input validation and authentication for its REST API webhook endpoint, allowing attackers to send forged requests that are processed as legitimate. This flaw enables malicious actors to change the status of existing WooCommerce orders, create new orders with arbitrary data, add new products with attacker‑controlled attributes, and inject arbitrary metadata into orders. The immediate consequence is the potential for financial fraud, unauthorized refunds, and compromise of order integrity, directly affecting the confidentiality and integrity of the e‑commerce system.

Affected Systems

All installations of the Appmax plugin for WordPress through version 1.0.3 are affected. The vendor and product are Appmax. No impacted sub‑products or specific WordPress versions are identified beyond the plugin itself.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability is considered medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The lacking authentication means that an unauthenticated remote attacker can simply POST to the /webhook-system endpoint with crafted payloads; no additional conditions or system privileges are required. Because of the remote nature of the exploit, the risk is moderate, though the potential impact on business operations and revenue can be significant.

Generated by OpenCVE AI on March 21, 2026 at 07:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Appmax to a version newer than 1.0.3 or apply an available patch
  • If an upgrade is not feasible, remove or deactivate the Appmax plugin and any webhook handling code
  • Restrict access to the /webhook-system endpoint by IP whitelisting or firewall rules
  • Monitor WooCommerce logs for unexpected order status changes or new order creations and investigate anomalies

Generated by OpenCVE AI on March 21, 2026 at 07:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Appmaxplataforma
Appmaxplataforma appmax
Wordpress
Wordpress wordpress
Vendors & Products Appmaxplataforma
Appmaxplataforma appmax
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any mechanism to authenticate that incoming webhook requests genuinely originate from the legitimate Appmax payment service. The plugin directly processes untrusted attacker-controlled input from the 'event' and 'data' parameters without verifying the webhook's authenticity. This makes it possible for unauthenticated attackers to craft malicious webhook payloads that can modify the status of existing WooCommerce orders (e.g., changing them to processing, refunded, cancelled, or pending), create entirely new WooCommerce orders with arbitrary data, create new WooCommerce products with attacker-controlled names/descriptions/prices, and write arbitrary values to order post metadata by spoofing legitimate webhook events.
Title Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Appmaxplataforma Appmax
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:07.371Z

Reserved: 2026-03-06T16:04:14.223Z

Link: CVE-2026-3641

cve-icon Vulnrichment

Updated: 2026-03-23T17:56:33.489Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:31.773

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:04Z

Weaknesses