CVE-2026-1128

The WP eCommerce WordPress plugin through version 3.15.1 fails to include a Cross-Site Request Forgery (CSRF) check in the coupon deletion functionality. This means that when a logged-in administrator performs a coupon deletion action, the request is not validated to ensure it was intentionally made by the administrator. This vulnerability is categorized under CWE-352: Cross-Site Request Forgery [1].

To exploit this, an attacker must craft a malicious link or script that, when visited by an authenticated admin, triggers a request to delete a coupon without the admin's knowledge. The attack requires no authentication on the attacker's part other than tricking an admin into performing an action. The attacker does not need any special privileges beyond the ability to deliver the crafted request to the admin [1].

Successful exploitation allows the attacker to delete any coupon from the site, potentially disrupting promotional offers or discount strategies. The impact is limited to coupon deletion; no other administrative actions are directly affected by this specific CSRF flaw. The CVSS v3 score is 4.3 (Medium), indicating moderate severity [1].

As of the publication date, there is no known fix available. The plugin remains vulnerable in version 3.15.1 and earlier. Administrators are advised to be cautious when clicking links and to ensure they log out of admin sessions when not in use until a patched version is released [1].