Does Zarinpal Gateway have any unpatched vulnerabilities?

No. All known vulnerabilities in Zarinpal Gateway have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Zarinpal Gateway compatible with WordPress 6.7.5?

According to WordPress.org data, Zarinpal Gateway 5.0.17 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Zarinpal Gateway compatible with PHP 7.0+?

Zarinpal Gateway requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Zarinpal Gateway updated?

Zarinpal Gateway was last updated on Jan 24, 2026. Frequent updates are generally a positive security signal.

What is Zarinpal Gateway's security score?

Zarinpal Gateway has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Zarinpal Gateway Security & Risk Analysis

wordpress.org/plugins/zarinpal-woocommerce-payment-gateway

پرداخت اینترنتی وجه به وسیله درگاه پرداخت واسطه زرین پال

60K active installs v5.0.17 PHP 7.0+ WP 5.8+ Updated Jan 24, 2026

%d9%88%d9%88%da%a9%d8%a7%d9%85%d8%b1%d8%b3woocommercezarinpal%d8%af%d8%b1%da%af%d8%a7%d9%87%d8%b2%d8%b1%db%8c%d9%86-%d9%be%d8%a7%d9%84

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 16, 2026

Plugin page Download

Safety Verdict

Is Zarinpal Gateway Safe to Use in 2026?

Generally Safe

Score 97/100

Zarinpal Gateway has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 16, 2026Updated 2mo ago

Risk Assessment

The zarinpal-woocommerce-payment-gateway plugin, version 5.0.17, exhibits several positive security practices, including the exclusive use of prepared statements for SQL queries and a reasonable percentage of properly escaped output. The absence of identified critical or high severity taint flows is also a good sign. However, the plugin does present some areas of concern. The presence of 7 AJAX handlers, even with all currently protected by authentication, represents a notable attack surface. The file operation and external HTTP requests, while not inherently problematic, warrant attention during further review to ensure they are handled securely. Furthermore, the plugin has a history of known vulnerabilities, specifically one high severity issue related to Improper Access Control. While this vulnerability is currently unpatched, its past occurrence suggests a potential recurring weakness in access control mechanisms. The last recorded vulnerability date also seems to be in the future, which is unusual and requires investigation.

Key Concerns

Past high severity vulnerability (Improper Access Control)
7 AJAX handlers represent a notable attack surface
One file operation found
Four external HTTP requests found
Unusual future date for last vulnerability

Vulnerabilities

Zarinpal Gateway Security Vulnerabilities

CVEs by Year

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2026-2592high · 7.7Improper Access Control

Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update

Feb 16, 2026 Patched in 5.0.17 (1d)

Code Analysis

Analyzed Mar 16, 2026

Zarinpal Gateway Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

46 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

72% escaped64 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

Return_from_ZarinPal_Gateway (class-wc-gateway-zarinpal.php:378)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Zarinpal Gateway Attack Surface

Entry Points7

Unprotected0

AJAX Handlers 7

authwp_ajax_get_zarinpal_feeclass-wc-gateway-zarinpal.php:1040

noprivwp_ajax_get_zarinpal_feeclass-wc-gateway-zarinpal.php:1041

authwp_ajax_zarinpal_update_payment_methodclass-wc-gateway-zarinpal.php:1043

noprivwp_ajax_zarinpal_update_payment_methodclass-wc-gateway-zarinpal.php:1044

authwp_ajax_zpal_transaction_infoclass-wc-gateway-zarinpal.php:1174

noprivwp_ajax_zpal_transaction_infoclass-wc-gateway-zarinpal.php:1175

authwp_ajax_zpal_manual_verifyclass-wc-gateway-zarinpal.php:1323

WordPress Hooks 25

actionplugins_loadedclass-wc-gateway-zarinpal.php:10

filterwoocommerce_payment_gatewaysclass-wc-gateway-zarinpal.php:17

filterwoocommerce_currenciesclass-wc-gateway-zarinpal.php:22

filterwoocommerce_currency_symbolclass-wc-gateway-zarinpal.php:30

actionwoocommerce_email_after_order_tableclass-wc-gateway-zarinpal.php:96

actionwoocommerce_order_status_refundedclass-wc-gateway-zarinpal.php:98

actionadmin_bar_menuclass-wc-gateway-zarinpal.php:100

actionadmin_noticesclass-wc-gateway-zarinpal.php:102

actionadmin_noticesclass-wc-gateway-zarinpal.php:103

actionwoocommerce_cart_calculate_feesclass-wc-gateway-zarinpal.php:105

actionwoocommerce_checkout_update_order_metaclass-wc-gateway-zarinpal.php:106

actionwoocommerce_checkout_update_order_reviewclass-wc-gateway-zarinpal.php:107

actionwoocommerce_store_api_register_endpoint_dataclass-wc-gateway-zarinpal.php:108

actionwoocommerce_store_api_checkout_update_order_from_requestclass-wc-gateway-zarinpal.php:109

actionwoocommerce_checkout_create_orderclass-wc-gateway-zarinpal.php:110

actionwoocommerce_blocks_checkout_order_processedclass-wc-gateway-zarinpal.php:111

actionwoocommerce_store_api_cart_update_customerclass-wc-gateway-zarinpal.php:112

filterwoocommerce_get_price_decimalsclass-wc-gateway-zarinpal.php:113

actionwp_headclass-wc-gateway-zarinpal.php:115

actionplugins_loadedclass-wc-gateway-zarinpal.php:1038

actionupgrader_process_completeclass-wc-gateway-zarinpal.php:1157

actionwoocommerce_admin_order_data_after_order_detailsclass-wc-gateway-zarinpal.php:1393

actionbefore_woocommerce_initindex.php:21

actionwoocommerce_blocks_loadedindex.php:28

actionwoocommerce_blocks_payment_method_type_registrationindex.php:31

Maintenance & Trust

Zarinpal Gateway Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedJan 24, 2026

PHP min version7.0

Downloads672K

Community Trust

Rating70/100

Number of ratings13

Active installs60K

Alternatives

Zarinpal Gateway Alternatives

ووکامرس فارسی

persian-woocommerce

بسته ووکامرس فارسی به راحتی سیستم فروشگاه ساز ووکامرس را فارسی می کند و امکانات جدید متناسب با ایران را به ووکامرس اضافه میکند.

100K 2 CVEs

پارسی دیت – Parsi Date

wp-parsidate

Persian date support for WordPress

100K 2 CVEs

افزونه پیامک ووکامرس Persian WooCommerce SMS

persian-woocommerce-sms

افزونه کامل و حرفه ای برای اطلاع رسانی پیامکی سفارشات و رویداد های محصولات ووکامرس

50K 1 unpatched

PayPing Gateway For Woocommerce

woo-payping-gateway

100

افزونه درگاه پرداخت پی‌پینگ برای ووکامرس

3K No CVEs

IranDargah Payment Gateway for Woocommerce

irandargah-payment-gateway-for-woocommerce

100

پرداخت اینترنتی وجه به وسیله درگاه پرداخت ایران درگاه برای افزونه ووکامرس

500 No CVEs

Developer Profile

Zarinpal Gateway Developer Profile

zarinpal

1 plugin · 60K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Zarinpal Gateway

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/zarinpal-woocommerce-payment-gateway/assets/images/logo.svg/wp-content/plugins/zarinpal-woocommerce-payment-gateway/assets/css/cart.css

Version Parameters

zarinpal-woocommerce-payment-gateway/assets/css/cart.css?ver=zarinpal-woocommerce-payment-gateway/assets/js/zarinpal.js?ver=

HTML / DOM Fingerprints

CSS Classes

wc-zpal-gateway-link

HTML Comments

Data Attributes

data-gateway-id="WC_ZPal"data-merchant-codedata-sandbox

JS Globals

window.zarinpal_payment_gateway_paramsvar wc_zarinpal_params

REST Endpoints

/wp-json/wc-zarinpal/v1/get-payment-url

FAQ