Vulnerabilities and security researches forwp-lucky-wheel wp-lucky-wheel

Feb 28, 2026

CVE, Research URL: CVE-2025-14541
Home page URL: Security reports for WordPress Lucky Wheel – Spin a Sale
Application: WordPress Lucky Wheel – Spin a Sale
Date: Feb 11, 2026
Research Description: The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Affected versions: max 1.0.23.
Status: vulnerable