Vulnerability Description
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/
- https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/trunk/frontend/fronte
- https://plugins.trac.wordpress.org/changeset/3428063/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9a41bc0e-0ab9-4cee-b3c
FAQ
What is CVE-2025-14509?
CVE-2025-14509 is a vulnerability with a CVSS score of 7.2 (HIGH). The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute u...
How severe is CVE-2025-14509?
CVE-2025-14509 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14509?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.