CVE-2026-1128 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP eCommerce plugin for WordPress, affecting versions through 3.15.1. The vulnerability arises because the plugin lacks proper CSRF token validation when processing coupon deletion requests. This absence of a CSRF check means that an attacker can craft a malicious web page or link that, when visited by an authenticated administrator, triggers the deletion of coupons without the admin's explicit consent. The attack vector requires the victim to be logged into the WordPress admin panel with sufficient privileges to delete coupons and to interact with the attacker-controlled content, typically by visiting a malicious URL. The vulnerability impacts the integrity of the eCommerce system by allowing unauthorized modification of promotional coupons, potentially disrupting marketing campaigns or causing financial discrepancies. The CVSS score of 4.3 (medium severity) reflects that the attack requires user interaction and does not impact confidentiality or availability. No known public exploits have been reported, and no official patches have been released at the time of this analysis. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to CSRF attacks. Given WordPress's widespread adoption and the popularity of WP eCommerce as a plugin, this vulnerability could affect a broad range of online stores globally, especially those that rely on coupon-based promotions.

The primary impact of CVE-2026-1128 is on the integrity of eCommerce operations using the WP eCommerce plugin. Unauthorized deletion of coupons can disrupt promotional activities, leading to potential revenue loss, customer dissatisfaction, and administrative overhead to restore deleted coupons. While the vulnerability does not directly compromise sensitive data or system availability, it undermines trust in the eCommerce platform's reliability and could be leveraged as part of a broader attack to destabilize business operations. Organizations with active marketing campaigns relying on coupons are particularly vulnerable. Additionally, repeated or large-scale exploitation could cause operational disruptions and financial impact. Since exploitation requires an authenticated admin to interact with malicious content, the risk is mitigated somewhat by the need for user interaction and admin privileges, but remains significant for sites with multiple administrators or less security awareness. The absence of patches increases the window of exposure, emphasizing the need for immediate mitigations.

1. Restrict administrative access to trusted networks and users to reduce the risk of an attacker tricking an admin into visiting malicious content. 2. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting coupon deletion endpoints. 3. Disable or restrict coupon deletion functionality temporarily if feasible until an official patch is released. 4. Educate administrators about the risks of CSRF and the importance of avoiding untrusted links or websites while logged into the WordPress admin panel. 5. Employ security plugins or custom code to add CSRF token validation to coupon deletion requests as an interim fix. 6. Monitor logs for unusual coupon deletion activity to detect potential exploitation attempts. 7. Keep WordPress core and all plugins updated and apply patches promptly once available. 8. Consider implementing multi-factor authentication (MFA) for admin accounts to reduce the risk of compromised credentials facilitating exploitation.