PT-2026-8397 · WordPress+1 · Zarinpal Gateway For Woocommerce+1
Angus Girvan
·
Published
2026-02-17
·
Updated
2026-02-22
·
CVE-2026-2592
CVSS v3.1
7.7
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zarinpal Gateway for WooCommerce plugin versions prior to 5.0.17
Description
The Zarinpal Gateway for WooCommerce plugin for WordPress has an issue with Improper Access Control to Payment Status Update. The payment callback handler
Return from ZarinPal Gateway does not properly validate the authority token provided in the callback URL, ensuring it belongs to the specific order being marked as paid. This allows unauthenticated attackers to mark orders as paid without completing a legitimate payment by reusing a valid authority token from a different transaction of the same amount.Recommendations
Update the Zarinpal Gateway for WooCommerce plugin to version 5.0.17 or later.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Woocommerce
Zarinpal Gateway For Woocommerce