CVE-2026-0808

Name of the Vulnerable Software and Affected Versions Spin Wheel plugin for WordPress versions prior to 2.1.1

Description The Spin Wheel plugin for WordPress is susceptible to client-side prize manipulation. The plugin relies on client-supplied prize selection data without proper server-side validation or randomization. This allows unauthenticated attackers to modify the prize index parameter, enabling them to consistently select the most valuable prizes. The vulnerable parameter is sent to the server, allowing manipulation of the prize selection process.

Recommendations Update the Spin Wheel plugin to version 2.1.1 or later.