CVE-2026-2592 Overview
The Zarinpal Gateway for WooCommerce plugin for WordPress contains an Improper Access Control vulnerability in all versions up to and including 5.0.16. The vulnerability exists in the payment callback handler Return_from_ZarinPal_Gateway, which fails to properly validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This security flaw allows unauthenticated attackers to potentially mark orders as paid without completing proper payment by reusing a valid authority token from a different transaction of the same amount.
Critical Impact
Unauthenticated attackers can bypass payment verification and mark WooCommerce orders as paid without completing actual payment, potentially resulting in significant financial losses for e-commerce businesses.
Affected Products
- Zarinpal Gateway for WooCommerce plugin for WordPress versions up to and including 5.0.16
- WordPress installations running the vulnerable plugin versions
- WooCommerce stores using Zarinpal as a payment gateway
Discovery Timeline
- 2026-02-17 - CVE CVE-2026-2592 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2592
Vulnerability Analysis
This vulnerability is classified as Improper Access Control (CWE-284), a business logic flaw in the payment verification process. The core issue resides in how the plugin handles payment callback verification from the Zarinpal payment gateway.
When a customer completes a payment through Zarinpal, the gateway sends a callback to the WordPress site with an authority token to confirm the transaction. The vulnerable Return_from_ZarinPal_Gateway function processes this callback but fails to implement proper validation that ties the authority token to a specific order ID.
The attack requires network access and can be executed without authentication, though it requires some complexity to exploit successfully. An attacker needs to obtain a valid authority token from a legitimate transaction, which could be accomplished through various means such as network interception, log file access, or completing a small legitimate transaction themselves.
Root Cause
The root cause of this vulnerability is the missing validation logic that should verify the relationship between the authority token received in the payment callback and the order being marked as paid. The callback handler in class-wc-gateway-zarinpal.php accepts authority tokens without confirming they were generated for the specific order ID in question. This allows token reuse across different orders, as long as the transaction amounts match.
Attack Vector
The attack vector is network-based and can be exploited by unauthenticated users. An attacker can exploit this vulnerability through the following approach:
- The attacker obtains a valid authority token from a legitimate completed transaction (either their own small purchase or through other means)
- The attacker identifies target orders with the same transaction amount
- The attacker crafts a callback request to the WordPress site using the reused authority token
- The vulnerable plugin marks the target order as paid without verifying the token belongs to that specific order
The vulnerability affects the payment flow at multiple points in the callback handling code, as referenced in the plugin source at lines 359, 370, 380, 409, and 412 of class-wc-gateway-zarinpal.php. For technical details on the vulnerable code, see the WordPress Plugin Source.
Detection Methods for CVE-2026-2592
Indicators of Compromise
- Unusual patterns of orders being marked as paid without corresponding payment confirmations in Zarinpal merchant dashboard
- Multiple orders showing the same authority token in payment logs
- Orders marked as completed where the authority token timestamp doesn't match the order creation time
- Discrepancies between WooCommerce payment records and Zarinpal transaction reports
Detection Strategies
- Implement log monitoring for the Return_from_ZarinPal_Gateway callback endpoint to detect repeated authority token usage
- Cross-reference WooCommerce order completion events with actual Zarinpal merchant account transactions
- Set up alerts for orders where payment verification metadata appears inconsistent
- Monitor for unusual callback request patterns from unexpected IP addresses
Monitoring Recommendations
- Enable detailed logging for all payment gateway callbacks and review regularly for anomalies
- Configure real-time alerting for financial transaction discrepancies between WooCommerce and Zarinpal
- Implement network monitoring for suspicious callback requests to the payment gateway endpoints
- Conduct regular reconciliation between store orders and payment gateway transaction records
How to Mitigate CVE-2026-2592
Immediate Actions Required
- Update the Zarinpal Gateway for WooCommerce plugin to the patched version immediately
- Review all recent orders for potential fraudulent payments by comparing WooCommerce records with Zarinpal merchant dashboard
- Temporarily disable the Zarinpal payment gateway if unable to update immediately
- Audit payment logs for any signs of token reuse or suspicious callback patterns
Patch Information
A patch has been released to address this vulnerability. The fix is available through the WordPress Plugin Changeset 3445917. Users should update to the latest version of the Zarinpal Gateway for WooCommerce plugin that includes the security fix. The patch implements proper validation to ensure authority tokens are bound to specific orders and cannot be reused across different transactions.
For detailed vulnerability information, refer to the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the Zarinpal payment gateway and use alternative payment methods until the patch is applied
- Implement manual payment verification by cross-checking all orders against the Zarinpal merchant dashboard before shipping
- Add server-side rules to monitor and log all callbacks to the payment gateway endpoint for manual review
- Consider implementing additional order verification steps before fulfillment, such as email confirmation with customers
# Temporary mitigation: Disable the Zarinpal gateway via WP-CLI
wp option update woocommerce_zarinpal_settings '{"enabled":"no"}' --format=json
# Alternative: Rename the plugin directory to disable it
# (from WordPress root directory)
mv wp-content/plugins/zarinpal-woocommerce-payment-gateway wp-content/plugins/zarinpal-woocommerce-payment-gateway.disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
