Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1128

CVE-2026-1128: WP eCommerce WordPress CSRF Vulnerability

CVE-2026-1128 is a CSRF flaw in WP eCommerce WordPress plugin that allows attackers to trick admins into deleting coupons. This post covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-1128 Overview

CVE-2026-1128 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP eCommerce WordPress plugin through version 3.15.1. The plugin fails to implement proper CSRF token validation when processing coupon deletion requests, allowing attackers to craft malicious requests that trick authenticated administrators into unknowingly deleting coupons from their eCommerce stores.

Critical Impact

Attackers can manipulate authenticated WordPress administrators into deleting store coupons without their knowledge, potentially disrupting promotional campaigns and eCommerce operations.

Affected Products

  • WP eCommerce WordPress plugin through version 3.15.1

Discovery Timeline

  • 2026-03-06 - CVE CVE-2026-1128 published to NVD
  • 2026-03-09 - Last updated in NVD database

Technical Details for CVE-2026-1128

Vulnerability Analysis

This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The WP eCommerce plugin lacks proper CSRF protection mechanisms on the coupon deletion functionality within the administrative interface. When an administrator is logged into WordPress and visits a malicious webpage crafted by an attacker, the attacker can trigger unauthorized coupon deletion requests on behalf of the administrator without their consent or knowledge.

The attack requires user interaction—specifically, a logged-in administrator must be tricked into visiting an attacker-controlled page or clicking a malicious link while authenticated to the WordPress dashboard. Once this condition is met, the attacker can silently submit requests to delete coupons from the eCommerce system.

Root Cause

The root cause of this vulnerability is the absence of CSRF token verification (nonce checking) in the coupon deletion handler within the WP eCommerce plugin. WordPress provides built-in CSRF protection through its nonce system (wp_nonce_field() and wp_verify_nonce()), but the vulnerable code path does not properly implement these security checks before processing deletion requests.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker would typically:

  1. Craft a malicious HTML page containing a hidden form or JavaScript that submits a coupon deletion request to the target WordPress site
  2. Host this page on an attacker-controlled domain or inject it into a compromised website
  3. Trick an authenticated WordPress administrator into visiting the malicious page
  4. When the administrator loads the page, the browser automatically sends the forged deletion request along with the administrator's valid session cookies, causing the coupon to be deleted

The attack exploits the trust relationship between the browser and the WordPress site, leveraging the administrator's existing authenticated session to perform unauthorized actions.

Detection Methods for CVE-2026-1128

Indicators of Compromise

  • Unexpected deletion of coupons in the WP eCommerce plugin without corresponding administrator activity
  • Audit logs showing coupon deletion requests originating from unusual referrer URLs
  • Administrator reports of coupons disappearing without their knowledge
  • Web server logs showing POST requests to coupon management endpoints with external or suspicious Referer headers

Detection Strategies

  • Monitor WordPress audit logs for bulk or unexpected coupon deletion events
  • Implement web application firewall (WAF) rules to detect and block requests with suspicious Referer headers targeting coupon management endpoints
  • Review server access logs for patterns indicating CSRF exploitation attempts
  • Enable detailed logging for administrative actions within the eCommerce plugin

Monitoring Recommendations

  • Configure alerts for high-volume coupon deletion activity within short time periods
  • Monitor for administrator session usage from unusual IP addresses or geographic locations
  • Implement real-time monitoring of critical eCommerce administrative functions
  • Review and audit administrator activity logs regularly for anomalous patterns

How to Mitigate CVE-2026-1128

Immediate Actions Required

  • Update the WP eCommerce plugin to the latest version that includes CSRF protection for coupon management
  • Review recently deleted coupons and restore any that were removed unexpectedly
  • Implement additional security plugins that provide CSRF protection at the application level
  • Advise administrators to log out of WordPress when not actively using the dashboard

Patch Information

The vulnerability affects WP eCommerce versions through 3.15.1. Users should check the plugin repository for updated versions that address this CSRF vulnerability. For detailed technical information about this vulnerability, refer to the WPScan Vulnerability Report.

Workarounds

  • Limit administrative access to trusted IP addresses using WordPress or server-level IP whitelisting
  • Implement a web application firewall (WAF) with CSRF protection rules enabled
  • Train administrators to avoid clicking links in untrusted emails or visiting unknown websites while logged into WordPress
  • Consider disabling the coupon functionality temporarily until a patched version is available
  • Use browser extensions that block cross-site requests or isolate browsing sessions
bash
# Example: Apache .htaccess rule to restrict admin access by IP
<Files "admin-ajax.php">
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 10.0.0.0/8
</Files>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne