CVE-2026-2592 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2026-2592?

CVE-2026-2592 has a CVSS score of 7.7 (HIGH). This vulnerability allows unauthenticated attackers to mark WooCommerce orders as paid without actual payment by reusing valid payment tokens from other transactions. It affects all WordPress sites using the Zarinpal Gateway for WooCommerce plugin up to version 5.0.16. Attackers can exploit this to obtain products or services without paying.

📋 TL;DR

This vulnerability allows unauthenticated attackers to mark WooCommerce orders as paid without actual payment by reusing valid payment tokens from other transactions. It affects all WordPress sites using the Zarinpal Gateway for WooCommerce plugin up to version 5.0.16. Attackers can exploit this to obtain products or services without paying.

💻 Affected Systems

Products:

Zarinpal Gateway for WooCommerce WordPress plugin

Versions: All versions up to and including 5.0.16

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with WooCommerce and the Zarinpal plugin enabled and configured.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass financial fraud where attackers obtain high-value products/services without payment, potentially bankrupting merchants through inventory loss and payment processing fees.

🟠

Likely Case

Targeted fraud where attackers obtain moderate-value products by reusing payment tokens from legitimate transactions of the same amount.

🟢

If Mitigated

No impact if proper token validation is implemented to ensure payment tokens are uniquely tied to specific orders.

🌐 Internet-Facing: HIGH - The vulnerability is in a payment callback handler accessible from the internet without authentication.

🏢 Internal Only: LOW - The vulnerability requires external payment callback access, making internal-only deployments less vulnerable.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires obtaining a valid authority token from another transaction of the same amount, which could be obtained through monitoring or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.17 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3200000%40zarinpal-woocommerce-payment-gateway%2Ftrunk&old=3199999%40zarinpal-woocommerce-payment-gateway%2Ftrunk

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Zarinpal Gateway for WooCommerce'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 5.0.17+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Zarinpal Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate zarinpal-woocommerce-payment-gateway

Restrict Payment Callback Access

linux

Use web application firewall rules to restrict access to payment callback endpoints.

# Example nginx location block:
location ~* /wc-api/zarinpal_gateway/ {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
}

🧯 If You Can't Patch

Implement manual order verification where staff manually confirm payments before fulfilling orders.
Switch to an alternative payment gateway plugin that doesn't have this vulnerability.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If Zarinpal Gateway for WooCommerce version is 5.0.16 or lower, you are vulnerable.

Check Version:

wp plugin get zarinpal-woocommerce-payment-gateway --field=version

Verify Fix Applied:

After updating, verify the plugin version shows 5.0.17 or higher. Test payment flow to ensure orders only complete with valid, unique payment tokens.

📡 Detection & Monitoring

Log Indicators:

Multiple orders marked as paid with same authority token
Orders completed without corresponding payment gateway transactions
Unusual pattern of same-amount orders from different customers

Network Indicators:

Repeated requests to /wc-api/zarinpal_gateway/ with same parameters
Payment callback requests from unexpected IP ranges

SIEM Query:

source="wordpress.log" AND "zarinpal_gateway" AND "authority=" | stats count by authority

📊 Metadata

CVE ID: CVE-2026-2592

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE: CWE-284

Published: February 17, 2026

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2592, you might also want to check these: