Is WordPress affected by CVE-2026-3641?

Organizations using for WordPress is vulnerable to Improper Input Validation in all should be aware of moderate risk from CVE-2026-3641, a input validation vulnerability rated CVSS 5.3. Exploitation could compromise the security of affected deployments.

CVE-2026-3641

EUVD-2026-14187 MEDIUM

2026-03-21 Wordfence

GHSA-crgh-3rc5-vq96

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 21, 2026 - 04:00 euvd

EUVD-2026-14187

Analysis Generated

Mar 21, 2026 - 04:00 vuln.today

CVE Published

Mar 21, 2026 - 03:26 nvd

MEDIUM 5.3

Description

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any mechanism to authenticate that incoming webhook requests genuinely originate from the legitimate Appmax payment service. The plugin directly processes untrusted attacker-controlled input from the 'event' and 'data' parameters without verifying the webhook's authenticity. This makes it possible for unauthenticated attackers to craft malicious webhook payloads that can modify the status of existing WooCommerce orders (e.g., changing them to processing, refunded, cancelled, or pending), create entirely new WooCommerce orders with arbitrary data, create new WooCommerce products with attacker-controlled names/descriptions/prices, and write arbitrary values to order post metadata by spoofing legitimate webhook events.

Analysis

The Appmax WordPress plugin versions up to 1.0.3 contain an improper input validation vulnerability in its public REST API webhook endpoint at /webhook-system that fails to authenticate, verify signatures, or validate the authenticity of incoming webhook requests. Unauthenticated attackers can exploit this by crafting malicious webhook payloads to modify existing WooCommerce order statuses, create arbitrary new orders and products with attacker-controlled data, and inject arbitrary metadata into orders. …

Remediation

Within 30 days: Identify affected systems running for WordPress is vulnerable to Improper Input Validation in and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +26

POC: 0

CVE-2026-3641 vulnerability details – vuln.today

Back

CVE-2026-3641

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-3641

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code