Appmax WordPress Plugin Improper Input Validation Vulnerability Allowing Unauthorized Order Manipulation and Creation
Vulnerability
A vulnerability exists in the Appmax plugin for WordPress, affecting all versions up to and including 1.0.3. The issue arises from the plugin's public REST API webhook endpoint at '/webhook-system', which lacks proper authentication measures such as webhook signature validation and secret verification. This oversight allows unauthenticated attackers to send malicious payloads that can alter the status of WooCommerce orders, create new orders or products with arbitrary data, and manipulate order metadata by impersonating legitimate webhook events.
Impact
Exploitation of this vulnerability allows for unauthorized manipulation of WooCommerce order statuses, arbitrary creation of orders and products, and modification of order metadata.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/webhook-system' endpoint with crafted 'event' and 'data' parameters. The absence of authentication checks will allow the request to be processed, leading to the unauthorized actions described.
Remediation
No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.