CVE-2026-2592

CVSS v3.1

7.7

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zarinpal Gateway for WooCommerce plugin versions prior to 5.0.17

Description The Zarinpal Gateway for WooCommerce plugin for WordPress has an issue with Improper Access Control to Payment Status Update. The payment callback handler

Return from ZarinPal Gateway

does not properly validate the authority token provided in the callback URL, ensuring it belongs to the specific order being marked as paid. This allows unauthenticated attackers to mark orders as paid without completing a legitimate payment by reusing a valid authority token from a different transaction of the same amount.

Recommendations Update the Zarinpal Gateway for WooCommerce plugin to version 5.0.17 or later.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2026-2592

Affected Products

Woocommerce

Zarinpal Gateway For Woocommerce

CVE-2026-2592

Weakness Enumeration

Related Identifiers

Affected Products

References · 11