CVE-2026-1128 PUBLISHED

WP eCommerce <= 3.15.1 - Coupon Deletion via CSRF

Assigner: WPScan
Reserved: 17.01.2026 Published: 06.03.2026 Updated: 06.03.2026

The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack

Product Status

Vendor	Unknown
Product	WP eCommerce
Versions	Default: affected affected from 0 to 3.15.1 (incl.)

Credits

Bob Matyas finder
WPScan coordinator

References

https://wpscan.com/vulnerability/35010d36-f985-4121-b7ee-c97edf724a7f/

Problem Types

CWE-352 Cross-Site Request Forgery (CSRF) CWE