WordPress WP eCommerce Plugin Can Be Tricked by Attackers

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

WordPress WP eCommerce Plugin Can Be Tricked by Attackers

CVE-2026-1128

Summary

A security issue in the WP eCommerce plugin for WordPress allows an attacker to trick an administrator into deleting coupons. This could be done without the admin's knowledge or consent, potentially causing financial losses. Update to the latest version of the plugin to fix this issue.

Original title

The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack

Original description

The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack

nvd CVSS3.1 4.3

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

https://wpscan.com/vulnerability/35010d36-f985-4121-b7ee-c97edf724a7f/

Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026