Cyber Resilience

CVE-2026-2592

High

Published: 17 February 2026

Published
17 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0014 33.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2592 is a high-severity Improper Access Control (CWE-284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2592 is an improper access control vulnerability affecting the Zarinpal Gateway for WooCommerce plugin for WordPress in all versions up to and including 5.0.16. The issue resides in the payment callback handler function 'Return_from_ZarinPal_Gateway', which fails to validate that the authority token provided in the callback URL corresponds to the specific order being marked as paid. This flaw, classified under CWE-284, carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability over the network with high attack complexity. By reusing a valid authority token obtained from a different transaction of the same monetary amount, attackers can trick the plugin into marking arbitrary orders as paid without completing an actual payment. Successful exploitation grants low confidentiality impact, high integrity and availability impacts, potentially allowing fraudulent order fulfillment.

The provided references point to specific lines in the plugin's source code at class-wc-gateway-zarinpal.php (lines 359, 370, 380, 409, and 412), highlighting the locations where the inadequate token validation occurs in the callback handling logic. No vendor advisories or patches are detailed in the available information.

EU & UK References

Vulnerability details

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the…

more

authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Improper access control in public-facing WooCommerce payment callback directly enables unauthenticated exploitation of the web application (T1190) and unauthorized modification of stored order payment status (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56889Shared CWE-284
CVE-2026-32752Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations, directly addressing the plugin's failure to enforce that only matching authority tokens update specific order payment status.

prevent

SI-10 mandates validation of information inputs like the authority token to ensure it corresponds to the targeted order before marking it as paid.

prevent

AC-24 ensures access control decisions for order status updates are based on proper token validation, preventing reuse of tokens from unrelated transactions.

References