CVE-2026-2592
Improper Access Control in Zarinpal WooCommerce Allows Order Manipulation
Publication date: 2026-02-17
Last updated on: 2026-02-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zarinpal | zarinpal_woocommerce_payment_gateway | to 5.0.16 (inc) |
| zarinpal | zarinpal_woocommerce_payment_gateway | 5.0.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Zarinpal Gateway for WooCommerce plugin is an Improper Access Control issue affecting all versions up to 5.0.16. It occurs because the payment callback handler does not properly verify that the authority token in the callback URL belongs to the specific order being marked as paid.
This flaw allows unauthenticated attackers to reuse a valid authority token from a different transaction of the same amount to mark orders as paid without actually completing the payment.
How can this vulnerability impact me? :
This vulnerability can lead to fraudulent order payment confirmations, where attackers can mark orders as paid without making a legitimate payment.
As a result, merchants may fulfill orders without receiving payment, causing financial loss and undermining trust in the payment system.
The vulnerability also risks the integrity of transaction records and could disrupt business operations due to unauthorized order status changes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unauthorized or suspicious payment callback requests to the Zarinpal WooCommerce Payment Gateway plugin, specifically those that attempt to mark orders as paid using authority tokens that do not belong to the respective orders.'}, {'type': 'paragraph', 'content': 'One approach is to review WooCommerce order notes or logs for entries indicating invalid authority token attempts, as the patched plugin annotates orders with notes when invalid tokens are detected.'}, {'type': 'paragraph', 'content': "On the network or server, you can search web server access logs for callback requests to the payment callback handler endpoint (likely containing 'Return_from_ZarinPal_Gateway') with suspicious or repeated authority tokens."}, {'type': 'list_item', 'content': "Use grep or similar tools to filter web server logs for callback URLs containing 'Return_from_ZarinPal_Gateway' and analyze query parameters for authority tokens."}, {'type': 'list_item', 'content': "Example command to search Apache logs for callback attempts: grep 'Return_from_ZarinPal_Gateway' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Further filter for suspicious tokens or repeated usage: grep 'Authority=' /var/log/apache2/access.log | sort | uniq -c | sort -nr"}, {'type': 'paragraph', 'content': 'Additionally, monitoring WooCommerce order meta fields for unexpected changes or mismatches in authority tokens may help detect exploitation attempts.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the Zarinpal WooCommerce Payment Gateway plugin to version 5.0.17 or later, where the vulnerability has been fixed by implementing stricter validation of payment authority tokens during callback processing.
If updating immediately is not possible, consider temporarily disabling the Zarinpal payment gateway plugin to prevent exploitation.
Review and monitor order payment statuses and logs for any suspicious or unauthorized payment confirmations.
Ensure your WooCommerce and WordPress installations are up to date and that proper access controls are in place to limit unauthorized access to payment processing endpoints.