CVE-2026-2592 HIGH

CVE-2026-2592: Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update

Vendor Zarinpal
Product Zarinpal Gateway
Weakness CWE-284
Published February 17, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount.

Explanation of Vulnerability in Simple Terms

02Summary

Zarinpal Gateway versions up to 5.0.16 contain an access control flaw that allows attackers to modify data and disrupt service without authentication. The vulnerability requires specific network conditions to exploit but can compromise the integrity and availability of payment processing. Site administrators should update to a version newer than 5.0.16 as soon as possible.

What an attacker can do

03Attacker Capabilities

Modify payment data and disrupt the gateway service without logging in.

Potential impact on your site

04Site Impact

Payment transactions may be altered or interrupted, affecting customer trust and revenue.

Conditions required to exploit

05Prerequisites

Network access to the vulnerable Zarinpal Gateway instance; specific network conditions required.

Key dates

06Disclosure timeline

February 17, 2026 CVE published
April 8, 2026 Record updated