Zarinpal Gateway for WooCommerce Improper Access Control Vulnerability

A vulnerability exists in the Zarinpal Gateway for WooCommerce plugin for WordPress, specifically in versions through 5.0.16. The issue stems from improper access control in the payment callback handler, 'Return_from_ZarinPal_Gateway'. This handler fails to verify that the authority token in the callback URL corresponds to the specific order being marked as paid. As a result, unauthenticated attackers could potentially use a valid authority token from a different transaction of the same amount to falsely mark orders as paid.

Impact

Exploitation of this vulnerability could lead to unauthorized payment status updates, allowing orders to be marked as paid without actual payment being received.

Reproduction

To reproduce this vulnerability, an attacker can send a payment callback to the 'Return_from_ZarinPal_Gateway' endpoint with a valid authority token that was previously used in a different transaction of the same amount. This can be done by reusing the token from the 'wp_ajax_zarinpal_update_payment_method' AJAX action, which is available to unauthenticated users.

Remediation

Users are advised to update the Zarinpal Gateway for WooCommerce plugin to version 5.0.17 or later, where this vulnerability has been addressed.