Description
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Published: 2025-12-30
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Lucky Wheel for WooCommerce – Spin a Sale plugin is vulnerable to PHP code injection caused by using eval() on unsanitized user input from the Conditional Tags setting. This flaw allows authenticated administrators to run arbitrary PHP code on the server, effectively compromising confidentiality, integrity, and availability of the site. The weakness is a classic code injection, classified as CWE-94.

Affected Systems

WordPress sites running the Lucky Wheel for WooCommerce – Spin a Sale plugin up to and including version 1.1.13 are affected. All installations of this plugin on both single‑site and multisite environments where the plugin is enabled are at risk. Administrators or Super Admins with access to the plugin settings can exploit the flaw.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score indicates the likelihood of exploit in the wild is lower than 1%, and the vulnerability is not listed in the CISA KEV catalog. Attackers must possess administrator‑level credentials, but once they do, invocation of the eval() construct enables remote code execution on the server, making this a critical security risk for vulnerable sites.

Generated by OpenCVE AI on April 21, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lucky Wheel for WooCommerce – Spin a Sale to a version newer than 1.1.13 that removes the vulnerable eval usage.
  • If an immediate upgrade is not possible, revoke the 'Conditional Tags' setting or disable the plugin until a patched version is available.
  • Restrict administrator access to trusted users only and regularly review user roles to reduce the attack surface.

Generated by OpenCVE AI on April 21, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 05 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Villatheme
Villatheme lucky Wheel For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Villatheme
Villatheme lucky Wheel For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Title Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Villatheme Lucky Wheel For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:00.919Z

Reserved: 2025-12-11T02:09:49.371Z

Link: CVE-2025-14509

cve-icon Vulnrichment

Updated: 2025-12-30T12:55:22.637Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T12:15:44.743

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses