Vulnerabilities and security researches forwoo-lucky-wheel woo-lucky-wheel

Jun 07, 2024

CVE, Research URL: c9ebc1afc3f1cd74ba354933b129a48db85927d6
Home page URL: Security reports for Lucky Wheel for WooCommerce – Spin a Sale
Application: Lucky Wheel for WooCommerce – Spin a Sale
Date: Apr 08, 2022
Research Description: Lucky Wheel for WooCommerce – Spin a Sale [woo-lucky-wheel] < 1.0.11 WordPress Lucky Wheel for WooCommerce – Spin a Sale plugin <= 1.0.10 - Stored Cross-Site Scripting (XSS) vulnerability Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Lucky Wheel for WooCommerce – Spin a Sale plugin (versions <= 1.0.10).
Affected versions: max 1.0.11.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-14509
Home page URL: Security reports for Lucky Wheel for WooCommerce – Spin a Sale
Application: Lucky Wheel for WooCommerce – Spin a Sale
Date: Dec 30, 2025
Research Description: The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Affected versions: max 1.1.14.
Status: vulnerable