The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 1.0.22 through the unconditional use of PHP's eval() function on data supplied via the conditional_tags parameter. Because the code does not perform any validation or sanitization on this user-controlled input, an attacker who can provide values for that parameter can inject and run arbitrary PHP code on the host. The vulnerability carries the CWE‑94 label, indicating an untrusted code inclusion flaw. It can compromise the confidentiality, integrity, and availability of the web server and any data it hosts.

The affected product is the Lucky Wheel Giveaway WordPress plugin released by Villatheme. Versions up to and including 1.0.22 are susceptible. Only users with Administrator‑level or higher WordPress privileges can exploit the flaw because the conditional_tags parameter is only accessible to authenticated administrators. Other users or unauthenticated visitors cannot trigger the vulnerability directly.

The CVSS v3 base score of 7.2 reflects a high severity. The EPSS score is less than 1 %, indicating a low but non‑zero likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to compromise or use legitimate administrator credentials; once authenticated, the attacker can craft a payload for the conditional_tags parameter to execute arbitrary code. The attack vector is likely indirect, requiring administrative access to the WordPress backend or API. The overall risk is moderate to high, especially for sites with a large administrative user base or weak credential management.