cleantalk
Vulnerabilities and Security Researches

Lucky Wheel for WooCommerce – Spin a Sale, CVE-2025-14509

CVE, Research URL

CVE-2025-14509

Home page URL

Security reports for Lucky Wheel for WooCommerce – Spin a Sale

Application

Lucky Wheel for WooCommerce – Spin a Sale

Published on
Dec 30, 2025
Research Description
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Affected versions
max 1.1.14.
Status
vulnerable
Previous vulnerability researches
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2025-30819) , Apr 02, 2025
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2023-23893) , Jun 10, 2024
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2025-47606) , May 09, 2025
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2022-4974) , Nov 15, 2024
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2021-24298) , Jun 07, 2024
New vulnerability
WING WordPress Migrator (CVE-2025-52835) , Jan 10, 2026
WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress (CVE-2025-66074) , Jan 10, 2026
1180px Shortcodes (CVE-2025-14114) , Jan 10, 2026
Listdom – Business Directory and Classified Ads Listings WordPress Plugin (CVE-2025-67560) , Jan 10, 2026
Simple CSV Table (CVE-2025-12960) , Jan 10, 2026