The vulnerability in the WP eCommerce plugin arises from a lack of CSRF protection mechanisms when performing actions related to coupon deletion. Without CSRF checks, an attacker can craft a malicious request that appears legitimate and persuade or trick a logged-in administrator into executing it. This occurs because the plugin fails to verify the source of the request, allowing it to be executed even if it comes from an untrusted domain. The consequence of this is significant as it allows attackers to manipulate coupon data, potentially affecting sales and promotions without the website owner's consent or awareness. Overall, this vulnerability exposes sites using the WP eCommerce plugin to risks associated with unauthorized coupon management.

To mitigate this vulnerability, ensure that all requests involving the deletion of sensitive data such as coupons incorporate CSRF tokens. Educate administrators to be cautious about following links or executing actions from untrusted sources while logged into WordPress, as a precautionary measure against CSRF attacks. Regular security training and reminders about the importance of logging out when not managing the site can also help reduce the effectiveness of potential attacks.