Cyber Resilience

CVE-2026-3641

Medium

Published: 21 March 2026

Published
21 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0015 35.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3641 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Wordpress (inferred from references). Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret…

more

verification, or any mechanism to authenticate that incoming webhook requests genuinely originate from the legitimate Appmax payment service. The plugin directly processes untrusted attacker-controlled input from the 'event' and 'data' parameters without verifying the webhook's authenticity. This makes it possible for unauthenticated attackers to craft malicious webhook payloads that can modify the status of existing WooCommerce orders (e.g., changing them to processing, refunded, cancelled, or pending), create entirely new WooCommerce orders with arbitrary data, create new WooCommerce products with attacker-controlled names/descriptions/prices, and write arbitrary values to order post metadata by spoofing legitimate webhook events.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated exploitation of exposed public webhook REST endpoint in WordPress plugin (CWE-20) to spoof events and manipulate WooCommerce data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References