Description
The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack
Published: 2026-03-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Coupon Deletion via CSRF
Action: Patch
AI Analysis

Impact

The WP eCommerce WordPress plugin through version 3.15.1 does not validate a CSRF token when an administrator requests the deletion of a coupon. An attacker who can trick an authenticated admin into visiting a crafted link can cause the admin to delete coupons, resulting in the loss of discount data. This vulnerability is a classic Cross‑Site Request Forgery and therefore falls under CWE‑352.

Affected Systems

It affects the WP eCommerce plugin by the vendor Unknown: WP eCommerce, any installation running version 3.15.1 or older. The plugin is used within a WordPress environment, so sites that rely on coupons for sales are impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1 %, showing very low current exploitation probability. It is not listed in CISA’s KEV catalog. Exploitation requires a logged‑in administrator and a successful CSRF request, typically through social engineering or a malicious link. Because of the limited likelihood and the lack of active exploitation, the risk to most installations is low, but the potential impact on coupon availability is significant. Prompt patching is recommended.

Generated by OpenCVE AI on April 15, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP eCommerce to the latest version (3.15.2 or newer) where CSRF checks are enforced on coupon deletion.
  • If an update cannot be performed immediately, disable or restrict the coupon deletion feature for administrators until a patch is available.
  • Ensure the WordPress installation enforces strong authentication and limits the exposure of the admin panel to trusted IP addresses or VPNs.

Generated by OpenCVE AI on April 15, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp-ecommerce
Wp-ecommerce wp Ecommerce
Vendors & Products Wordpress
Wordpress wordpress
Wp-ecommerce
Wp-ecommerce wp Ecommerce

Fri, 06 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack
Title WP eCommerce <= 3.15.1 - Coupon Deletion via CSRF
References

Subscriptions

Wordpress Wordpress
Wp-ecommerce Wp Ecommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:56.881Z

Reserved: 2026-01-17T21:55:30.995Z

Link: CVE-2026-1128

cve-icon Vulnrichment

Updated: 2026-03-06T17:47:14.384Z

cve-icon NVD

Status : Deferred

Published: 2026-03-06T06:15:57.750

Modified: 2026-04-15T14:42:29.303

Link: CVE-2026-1128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses