cleantalk
Vulnerabilities and Security Researches

Lucky Wheel for WooCommerce – Spin a Sale, CVE-2025-14509

CVE, Research URL

CVE-2025-14509

Home page URL

Security reports for Lucky Wheel for WooCommerce – Spin a Sale

Application

Lucky Wheel for WooCommerce – Spin a Sale

Published on
Dec 30, 2025
Research Description
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Affected versions
max 1.1.14.
Status
vulnerable
Previous vulnerability researches
GNA Search Shortcode (CVE-2025-46540) , Apr 26, 2025
New vulnerability
WING WordPress Migrator (CVE-2025-52835) , Jan 10, 2026
WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress (CVE-2025-66074) , Jan 10, 2026
1180px Shortcodes (CVE-2025-14114) , Jan 10, 2026
Listdom – Business Directory and Classified Ads Listings WordPress Plugin (CVE-2025-67560) , Jan 10, 2026
Simple CSV Table (CVE-2025-12960) , Jan 10, 2026