PT-2026-7480 · WordPress · Lucky Wheel Giveaway
Nguyen Truong
·
Published
2026-02-11
·
Updated
2026-02-16
·
CVE-2025-14541
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Lucky Wheel Giveaway plugin for WordPress versions prior to 1.0.23
Description
The Lucky Wheel Giveaway plugin for WordPress is susceptible to Remote Code Execution. This is due to the use of PHP’s
eval() function on user-controlled input without sufficient validation or sanitization. An authenticated attacker with Administrator-level access or higher can execute code on the server through the conditional tags parameter.Recommendations
Update the Lucky Wheel Giveaway plugin to version 1.0.23 or later.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lucky Wheel Giveaway