Vulnerability Description
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-
- https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-a
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d
FAQ
What is CVE-2026-0808?
CVE-2026-0808 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data...
How severe is CVE-2026-0808?
CVE-2026-0808 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-0808?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.