CVE-2026-1128: CWE-352 Cross-Site Request Forgery (CSRF) in WP eCommerce
CVE-2026-1128 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP eCommerce WordPress plugin up to version 3. 15. 1. It allows an attacker to trick a logged-in administrator into deleting coupons without their consent, due to the absence of CSRF protections on the coupon deletion functionality. Exploitation requires the victim to be authenticated as an admin and visit a maliciously crafted webpage. There are no known exploits in the wild currently. The vulnerability impacts the integrity of coupon data and could disrupt e-commerce operations. Mitigation involves applying patches when available or implementing CSRF tokens and verifying nonce values in the plugin's coupon deletion process. Countries with significant WordPress e-commerce usage and large WP eCommerce deployments are at higher risk. The severity is assessed as medium due to the need for admin authentication and user interaction, but the potential impact on business operations is notable.
AI Analysis
Technical Summary
CVE-2026-1128 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP eCommerce plugin for WordPress, affecting all versions through 3.15.1. The vulnerability arises because the plugin does not implement CSRF protections when deleting coupons, specifically lacking nonce verification or other anti-CSRF tokens. This flaw enables an attacker to craft a malicious web request that, when visited by a logged-in WordPress administrator, triggers the deletion of coupons without the admin's explicit consent or knowledge. Since coupons often represent discounts or promotional offers, unauthorized deletion can disrupt business promotions, cause financial loss, or undermine customer trust. The attack requires the victim to be authenticated with administrative privileges and to interact with a malicious webpage or link, as no automated or unauthenticated exploitation is possible. No public exploits have been reported yet, and no official patches are currently linked, indicating the need for urgent attention from site administrators. The vulnerability is classified under CWE-352, highlighting the absence of CSRF protections in the affected functionality. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.
Potential Impact
The primary impact of this vulnerability is on the integrity and availability of coupon data within WP eCommerce-powered websites. Unauthorized deletion of coupons can disrupt marketing campaigns, cause revenue loss, and damage customer relationships. Since the attack requires administrative privileges, the scope is limited to sites where attackers can lure admins into visiting malicious content. However, given the widespread use of WordPress and e-commerce plugins, the potential reach is significant. The vulnerability does not directly compromise confidentiality or system-wide availability but can indirectly affect business operations and trust. Organizations relying heavily on WP eCommerce for sales and promotions may experience operational disruptions and financial impact. Additionally, repeated exploitation could lead to administrative overhead and increased support costs.
Mitigation Recommendations
Until an official patch is released, administrators should implement manual mitigations such as restricting admin access to trusted networks or VPNs to reduce exposure. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious coupon deletion requests lacking valid nonces or CSRF tokens. Site owners can also audit and modify the plugin code to add nonce verification for coupon deletion actions, ensuring that each request is validated against a unique token tied to the user session. Educate administrators about the risks of clicking unknown links while logged in to the WordPress admin panel. Regularly back up coupon data and site configurations to enable quick restoration if unauthorized deletions occur. Monitor logs for unusual coupon deletion activity to detect potential exploitation attempts early. Finally, stay alert for official patches or updates from the WP eCommerce development team and apply them promptly.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, India, France, Brazil, Netherlands, Japan
CVE-2026-1128: CWE-352 Cross-Site Request Forgery (CSRF) in WP eCommerce
Description
CVE-2026-1128 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP eCommerce WordPress plugin up to version 3. 15. 1. It allows an attacker to trick a logged-in administrator into deleting coupons without their consent, due to the absence of CSRF protections on the coupon deletion functionality. Exploitation requires the victim to be authenticated as an admin and visit a maliciously crafted webpage. There are no known exploits in the wild currently. The vulnerability impacts the integrity of coupon data and could disrupt e-commerce operations. Mitigation involves applying patches when available or implementing CSRF tokens and verifying nonce values in the plugin's coupon deletion process. Countries with significant WordPress e-commerce usage and large WP eCommerce deployments are at higher risk. The severity is assessed as medium due to the need for admin authentication and user interaction, but the potential impact on business operations is notable.
AI-Powered Analysis
Technical Analysis
CVE-2026-1128 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP eCommerce plugin for WordPress, affecting all versions through 3.15.1. The vulnerability arises because the plugin does not implement CSRF protections when deleting coupons, specifically lacking nonce verification or other anti-CSRF tokens. This flaw enables an attacker to craft a malicious web request that, when visited by a logged-in WordPress administrator, triggers the deletion of coupons without the admin's explicit consent or knowledge. Since coupons often represent discounts or promotional offers, unauthorized deletion can disrupt business promotions, cause financial loss, or undermine customer trust. The attack requires the victim to be authenticated with administrative privileges and to interact with a malicious webpage or link, as no automated or unauthenticated exploitation is possible. No public exploits have been reported yet, and no official patches are currently linked, indicating the need for urgent attention from site administrators. The vulnerability is classified under CWE-352, highlighting the absence of CSRF protections in the affected functionality. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.
Potential Impact
The primary impact of this vulnerability is on the integrity and availability of coupon data within WP eCommerce-powered websites. Unauthorized deletion of coupons can disrupt marketing campaigns, cause revenue loss, and damage customer relationships. Since the attack requires administrative privileges, the scope is limited to sites where attackers can lure admins into visiting malicious content. However, given the widespread use of WordPress and e-commerce plugins, the potential reach is significant. The vulnerability does not directly compromise confidentiality or system-wide availability but can indirectly affect business operations and trust. Organizations relying heavily on WP eCommerce for sales and promotions may experience operational disruptions and financial impact. Additionally, repeated exploitation could lead to administrative overhead and increased support costs.
Mitigation Recommendations
Until an official patch is released, administrators should implement manual mitigations such as restricting admin access to trusted networks or VPNs to reduce exposure. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious coupon deletion requests lacking valid nonces or CSRF tokens. Site owners can also audit and modify the plugin code to add nonce verification for coupon deletion actions, ensuring that each request is validated against a unique token tied to the user session. Educate administrators about the risks of clicking unknown links while logged in to the WordPress admin panel. Regularly back up coupon data and site configurations to enable quick restoration if unauthorized deletions occur. Monitor logs for unusual coupon deletion activity to detect potential exploitation attempts early. Finally, stay alert for official patches or updates from the WP eCommerce development team and apply them promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-01-17T21:55:30.995Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69aa7125c48b3f10ff1eaaf2
Added to database: 3/6/2026, 6:16:05 AM
Last enriched: 3/6/2026, 6:30:37 AM
Last updated: 3/6/2026, 8:36:10 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.