Description
The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Request Forgery
Action: Patch
AI Analysis

Impact

The Lucky Draw Contests WordPress plugin is vulnerable to a Cross‑Site Request Forgery flaw caused by missing or incorrect nonce validation in misc-settings.php. An attacker who can persuade a site administrator to click a crafted link or submit a forged form can update the plugin’s settings without authentication. This can lead to unauthorized configuration changes, potentially disrupting the site’s operation or enabling further malicious activity such as disseminating spam content or exposing sensitive data, depending on the modified settings.

Affected Systems

The affected product is Lucky Draw Contests, currently maintained by the vendor owais4377. All WordPress sites running any version of the plugin up to and including 4.2 are vulnerable. No specific sub‑versions are listed, so the entire <=4.2 range is considered at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack path requires an unauthenticated attacker to deceive an authenticated administrator into executing a forged request, typically via a malicious link or embedded form. Once the request is accepted, the attacker can change any configuration that the administrator normally controls.

Generated by OpenCVE AI on April 21, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lucky Draw Contests to the latest version that contains the nonce validation fix.
  • Configure a security plugin or web application firewall to enforce nonce checks and blockuthenticated setting changes.
  • Ensure that only trusted administrators with multi‑factor authentication can access the WordPress admin area.

Generated by OpenCVE AI on April 21, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Lucky Draw Contests <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:25.857Z

Reserved: 2025-12-10T15:59:50.953Z

Link: CVE-2025-14462

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:36.936Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:50.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses