CVE-2026-2592
Published: 17 February 2026
Summary
CVE-2026-2592 is a high-severity Improper Access Control (CWE-284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the plugin's failure to enforce that only matching authority tokens update specific order payment status.
SI-10 mandates validation of information inputs like the authority token to ensure it corresponds to the targeted order before marking it as paid.
AC-24 ensures access control decisions for order status updates are based on proper token validation, preventing reuse of tokens from unrelated transactions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in public-facing WooCommerce payment callback directly enables unauthenticated exploitation of the web application (T1190) and unauthorized modification of stored order payment status (T1565.001).
NVD Description
The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the…
more
authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount.
Deeper analysisAI
CVE-2026-2592 is an improper access control vulnerability affecting the Zarinpal Gateway for WooCommerce plugin for WordPress in all versions up to and including 5.0.16. The issue resides in the payment callback handler function 'Return_from_ZarinPal_Gateway', which fails to validate that the authority token provided in the callback URL corresponds to the specific order being marked as paid. This flaw, classified under CWE-284, carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability over the network with high attack complexity. By reusing a valid authority token obtained from a different transaction of the same monetary amount, attackers can trick the plugin into marking arbitrary orders as paid without completing an actual payment. Successful exploitation grants low confidentiality impact, high integrity and availability impacts, potentially allowing fraudulent order fulfillment.
The provided references point to specific lines in the plugin's source code at class-wc-gateway-zarinpal.php (lines 359, 370, 380, 409, and 412), highlighting the locations where the inadequate token validation occurs in the callback handling logic. No vendor advisories or patches are detailed in the available information.
Details
- CWE(s)