CVE-2026-2592

Published: Feb 17, 2026Modified: Feb 18, 2026

7.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Exploitability: 2.2 / Impact: 5.5

Source: security@wordfence.com

Description

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount.

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (7)

https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L359

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L370

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L380

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L409

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L412

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset/3445917/

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/e33fcd17-318b-408e-86bf-b4ece46121cc?source=cve

Source: security@wordfence.com

Timeline

No history available yet.