CVE-2026-3641

Name of the Vulnerable Software and Affected Versions Appmax plugin for WordPress versions up to and including 1.0.3

Description The software contains a flaw due to a lack of proper input validation in a public REST API webhook endpoint. The endpoint, located at /webhook-system, does not implement webhook signature validation, secret verification, or authentication mechanisms to confirm the origin of incoming webhook requests. The plugin processes untrusted data from the event and data parameters without verifying authenticity. This allows attackers to manipulate WooCommerce orders, including modifying their status (processing, refunded, cancelled, or pending) and creating new orders with arbitrary data. Attackers can also create new WooCommerce products with attacker-controlled details like names, descriptions, and prices, and write arbitrary values to order post metadata by spoofing legitimate webhook events.

Recommendations Versions prior to 1.0.4 should not be used.