Zarinpal Gateway for WooCommerce < 5.0.17 – Improper Access Control to Payment Status Update | CVE 2026-2592 | Plugin Vulnerabilities

Description

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount.

Affects Plugins

zarinpal-woocommerce-payment-gateway

Fixed in 5.0.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e33fcd17-318b-408e-86bf-b4ece46121cc

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

b75dc325-07fc-4b83-9614-bd0f6d9f7215

Timeline

Publicly Published

2026-02-16 (about 3 months ago)

Added

2026-02-16 (about 3 months ago)

Last Updated

2026-02-17 (about 3 months ago)

Other

Published

Title

Published

2021-10-05

Title

JobSearch WP Job Board < 1.8.2 - Unauthenticated Plugin's Settings Update

Published

2021-07-12

Title

Frontend File Manager < 18.3 - Privilege Escalation

Published

2024-09-25

Title

Jupiter X Core < 4.7.8 - Limited Unauthenticated Authentication Bypass to Account Takeover

Published

2021-11-03

Title

Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Elementor Template Import

Published

2024-01-24

Title

Views for WPForms < 3.2.3 - Cross-Site Request Forgery via create_view