{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1128", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-17T21:55:30.995Z", "datePublished": "2026-03-06T06:00:03.095Z", "dateUpdated": "2026-04-02T12:39:56.881Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:56.881Z"}, "title": "WP eCommerce <= 3.15.1 - Coupon Deletion via CSRF", "problemTypes": [{"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "WP eCommerce", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "3.15.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack"}], "references": [{"url": "https://wpscan.com/vulnerability/35010d36-f985-4121-b7ee-c97edf724a7f/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Bob Matyas", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:46:45.491924Z", "id": "CVE-2026-1128", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:47:18.129Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1128", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T17:46:45.491924Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:47:14.384Z"}}], "cna": {"title": "WP eCommerce <= 3.15.1 - Coupon Deletion via CSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bob Matyas"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "WP eCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.15.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/35010d36-f985-4121-b7ee-c97edf724a7f/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:56.881Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1128", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:56.881Z", "dateReserved": "2026-01-17T21:55:30.995Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-06T06:00:03.095Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack"}, {"lang": "es", "value": "El plugin de WordPress WP eCommerce hasta la versi\u00f3n 3.15.1 no cuenta con una comprobaci\u00f3n CSRF al eliminar cupones, lo que podr\u00eda permitir a los atacantes forzar a un administrador con sesi\u00f3n iniciada a eliminarlos mediante un ataque CSRF."}], "id": "CVE-2026-1128", "lastModified": "2026-04-15T14:42:29.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T06:15:57.750", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/35010d36-f985-4121-b7ee-c97edf724a7f/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.15.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WP eCommerce", "source": "cna", "vendor": "Unknown"}, "product": "wp_ecommerce", "vendor": "wp-ecommerce"}], "analysis": {"en": {"generated_at": "2026-04-15T22:42:22.430498+00:00", "value": {"mitigation_remediation": ["Update WP eCommerce to the latest version (3.15.2 or newer) where CSRF checks are enforced on coupon deletion.", "If an update cannot be performed immediately, disable or restrict the coupon deletion feature for administrators until a patch is available.", "Ensure the WordPress installation enforces strong authentication and limits the exposure of the admin panel to trusted IP addresses or VPNs."], "summary": {"action": "Patch", "impact": "Unauthorized Coupon Deletion via CSRF"}, "threat_synthesis": {"affected_systems": "It affects the WP eCommerce plugin by the vendor Unknown: WP eCommerce, any installation running version\u202f3.15.1 or older. The plugin is used within a WordPress environment, so sites that rely on coupons for sales are impacted.", "description_and_impact": "The WP eCommerce WordPress plugin through version\u202f3.15.1 does not validate a CSRF token when an administrator requests the deletion of a coupon. An attacker who can trick an authenticated admin into visiting a crafted link can cause the admin to delete coupons, resulting in the loss of discount data. This vulnerability is a classic Cross\u2011Site Request Forgery and therefore falls under CWE\u2011352.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1\u202f%, showing very low current exploitation probability. It is not listed in CISA\u2019s KEV catalog. Exploitation requires a logged\u2011in administrator and a successful CSRF request, typically through social engineering or a malicious link. Because of the limited likelihood and the lack of active exploitation, the risk to most installations is low, but the potential impact on coupon availability is significant. Prompt patching is recommended."}}}}, "created": "2026-03-06T14:55:38.165294+00:00", "updated": "2026-04-15T22:45:16.447264+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp-ecommerce", "wp-ecommerce$PRODUCT$wp_ecommerce"]}