A high-severity access control vulnerability in the Zarinpal Gateway plugin could allow attackers to manipulate payment statuses, leading to financial loss and order fulfillment fraud.

The plugin fails to properly validate access controls during payment status updates. This allows an attacker to potentially mark unpaid orders as "paid" or otherwise manipulate the transaction lifecycle without proper authorization.

This vulnerability directly impacts the financial integrity of e-commerce operations. Attackers could obtain goods or services without payment, resulting in direct revenue loss. The CVSS score of 7.7 reflects the high risk to business logic and financial transactions.

Immediate Action: Update the Zarinpal Gateway for WooCommerce plugin to the latest version immediately.

Proactive Monitoring: Audit recent WooCommerce orders to ensure that payment statuses match actual transactions in the Zarinpal merchant portal.

Compensating Controls: Implement additional verification steps for high-value orders and use a Web Application Firewall (WAF) to filter suspicious requests to payment callback endpoints.

Public Exploit Available: false

E-commerce site administrators must prioritize this update to protect their revenue streams. In addition to patching, a manual audit of recent transactions is recommended to ensure no exploitation has already occurred.