WP eCommerce <= 3.15.1 – Coupon Deletion via CSRF | CVE 2026-1128 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack

Proof of Concept

Have an admin open a link like:

https://example.com/wp-admin/edit.php?post_type=wpsc-product&page=wpsc-edit-coupons&action=delete&coupon%5B0%5D=4&coupon%5B1%5D=5

where the coupon IDs are actual coupons. The coupons will be deleted due to missing CSRF checks.

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

35010d36-f985-4121-b7ee-c97edf724a7f

Timeline

Publicly Published

2026-02-13 (about 21 days ago)

Added

2026-02-13 (about 21 days ago)

Last Updated

2026-02-13 (about 21 days ago)

Other

Published

Title

Published

2022-06-22

Title

Free Live Chat Support <= 1.0.12 - Stored Cross-Site Scripting via CSRF

Published

2018-05-15

Title

Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery (CSRF)

Published

2023-04-05

Title

WCFM Membership < 2.10.0 - Multiple CSRF

Published

2022-04-15

Title

MicroPayments < 1.9.6 - Arbitrary Settings Update via CSRF

Published

2026-01-28

Title

Popularis Extra <= 1.2.10 - Cross-Site Request Forgery