OK, I figured since the coupon actually is created properly, perhaps there is an issue "further down" that causes modsecurity to go bananas...
and yep, once I removed this code (line 239 - 245)
Code:
$coupon_id = $db->insertid();
$q ="INSERT INTO #__awocoupon_user
( coupon_id, user_id )
VALUES
( '".$coupon_id."' , '".JFactory::getUser()->id."' ";
$db->setQuery($q);
$db->execute();
Still don't know what it's there that modsecurity doesn't like and I suppose by removing it the coupon will no longer be personal but I can live with that for right now
.