CVE-2026-2592

HIGH 7.7

Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

0th

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount.

CWE	CWE-284
Vendor	zarinpal
Product	zarinpal gateway
Published	Feb 17, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for zarinpal zarinpal gateway

Be the first to know when new high vulnerabilities affecting zarinpal zarinpal gateway are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

zarinpal / Zarinpal Gateway

0 ≤ 5.0.16

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Angus Girvan