Description
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
Published: 2026-01-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated manipulation of prize selection leading to undeserved high‑value rewards
Action: Update plugin
AI Analysis

Impact

The Spin Wheel WordPress plugin accepts a client‑supplied 'prize_index' parameter without applying any server‑side validation, representing a CWE‑602 weakness. A malicious user can modify this parameter and subsequently receive the most valuable prize, effectively circumventing the intended random reward mechanism. The vulnerability results in misuse of the plugin’s functionality, granting attackers unintended benefits while compromising the fairness of the system.

Affected Systems

WordPress sites running the Spin Wheel plugin from bdthemes, specifically versions 2.1.0 and earlier. Users who deploy these versions are susceptible to prize manipulation.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability is considered moderate. The EPSS score of less than 1% implies a low probability of widespread exploitation, and the issue is not listed in the CISA KEV catalog. Exploitation requires only the ability to send HTTP requests to the plugin’s AJAX endpoint, which is publicly accessible, so attackers can craft a request manipulating the 'prize_index' parameter with minimal effort.

Generated by OpenCVE AI on April 16, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Spin Wheel plugin to the latest available version (greater than 2.1.0) to eliminate the client‑side parameter validation flaw.
  • If upgrading is not immediately possible, restrict access to the AJAX endpoint by requiring authenticated requests or by implementing server‑side input validation to reject unauthorized 'prize_index' values.
  • Monitor all WordPress installations for unexpected prize awards or anomalous user behavior that could indicate exploitation of this flaw.

Generated by OpenCVE AI on April 16, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
Title Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter
Weaknesses CWE-602
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:33.408Z

Reserved: 2026-01-09T14:36:32.229Z

Link: CVE-2026-0808

cve-icon Vulnrichment

Updated: 2026-01-20T18:27:10.330Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T07:16:02.123

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses