{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2592", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-16T16:34:33.188Z", "datePublished": "2026-02-17T04:35:45.952Z", "dateUpdated": "2026-04-08T17:29:22.353Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:22.353Z"}, "affected": [{"vendor": "zarinpal", "product": "Zarinpal Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount."}], "title": "Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e33fcd17-318b-408e-86bf-b4ece46121cc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L359"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L370"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L380"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L409"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L412"}, {"url": "https://plugins.trac.wordpress.org/changeset/3445917/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "baseScore": 7.7, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2026-02-16T16:35:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:06:04.903581Z", "id": "CVE-2026-2592", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:06:18.488Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2592", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T15:06:04.903581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:06:14.400Z"}}], "cna": {"title": "Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H"}}], "affected": [{"vendor": "zarinpal", "product": "Zarinpal Gateway", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-16T16:35:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e33fcd17-318b-408e-86bf-b4ece46121cc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L359"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L370"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L380"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L409"}, {"url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L412"}, {"url": "https://plugins.trac.wordpress.org/changeset/3445917/"}], "descriptions": [{"lang": "en", "value": "The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:22.353Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2592", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:22.353Z", "dateReserved": "2026-02-16T16:34:33.188Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-17T04:35:45.952Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount."}, {"lang": "es", "value": "El plugin Zarinpal Gateway para WooCommerce para WordPress es vulnerable a Control de Acceso Inadecuado para la Actualizaci\u00f3n del Estado de Pago en todas las versiones hasta la 5.0.16 inclusive. Esto se debe a que el manejador de devoluci\u00f3n de llamada de pago 'Return_from_ZarinPal_Gateway' no valida que el token de autoridad proporcionado en la URL de devoluci\u00f3n de llamada pertenezca al pedido espec\u00edfico que se est\u00e1 marcando como pagado. Esto hace posible que atacantes no autenticados puedan marcar pedidos como pagados sin el pago adecuado al reutilizar un token de autoridad v\u00e1lido de una transacci\u00f3n diferente del mismo importe."}], "id": "CVE-2026-2592", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-17T05:16:17.430", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L359"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L370"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L380"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L409"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zarinpal-woocommerce-payment-gateway/trunk/class-wc-gateway-zarinpal.php#L412"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3445917/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e33fcd17-318b-408e-86bf-b4ece46121cc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.0.16]"}}], "product": "zarinpal_gateway", "vendor": "zarinpal"}], "analysis": {"en": {"generated_at": "2026-04-15T17:09:49.820168+00:00", "value": {"mitigation_remediation": ["Upgrade the Zarinpal Gateway for WooCommerce plugin to a version newer than 5.0.16.", "Configure the payment callback handler to validate that the authority token matches the specific order before marking it as paid.", "Implement monitoring of order status changes for anomalies and configure alerts for suspicious paid orders."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized order status manipulation possible"}, "threat_synthesis": {"affected_systems": "All installations of the Zarinpal Gateway for WooCommerce WordPress plugin up to and including version 5.0.16 are affected. Sites running those versions should consider themselves vulnerable.", "description_and_impact": "The Zarinpal Gateway for WooCommerce plugin allows an attacker to change an order\u2019s status to paid without completing a legitimate transaction by reusing an authority token that belongs to a different order. This flaw is caused by the callback handler not verifying that the token supplied matches the order in question. The result is that fraudulent orders could be marked as paid, leading to financial loss and trust erosion.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.7 and an EPSS of less than 1\u202f%, indicating that while the flaw is technically significant, exploitation may be rare. Because it relies on the payment callback URL and a valid authority token, an attacker can trigger it remotely by crafting a request that includes a token from another transaction of the same amount. The flaw is not listed in CISA\u2019s KEV catalog, but the potential for unauthorized payment status changes warrants immediate remediation."}}}}, "created": "2026-02-17T08:48:53.051408+00:00", "updated": "2026-04-15T17:30:10.458790+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "zarinpal", "zarinpal$PRODUCT$zarinpal_gateway"]}