Plattform
wordpress
Komponente
woo-lucky-wheel
Behoben in
1.1.14
CVE-2025-14509 describes a PHP Code Injection vulnerability present in the Lucky Wheel for WooCommerce plugin for WordPress. This vulnerability allows authenticated attackers with administrator privileges to execute arbitrary PHP code on the server. The issue affects versions 1.0.0 through 1.1.13, and a patch is available in version 1.1.14.
The vulnerability stems from the plugin's use of eval() on unsanitized user input from the 'Conditional Tags' setting. Successful exploitation allows an attacker to execute arbitrary PHP code with the privileges of the web server user. This could lead to complete server compromise, including data exfiltration, malware installation, and denial of service. In WordPress multisite environments, Site Administrators can leverage this vulnerability to execute code, bypassing intended restrictions and potentially impacting multiple sites.
This vulnerability was publicly disclosed on 2025-12-30. While no public exploits have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for active exploitation. The use of eval() with unsanitized user input is a common vulnerability pattern, increasing the likelihood of automated scanning and exploitation attempts. No KEV listing is currently available.
WordPress websites utilizing the Lucky Wheel for WooCommerce plugin, particularly those with administrator accounts that have not been secured with strong passwords or multi-factor authentication, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'eval($_POST["conditional_tags"]' /var/www/wordpress/wp-content/plugins/lucky-wheel-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=lucky_wheel_conditional_tags&conditional_tags=system("whoami")• wordpress / composer / npm:
wp plugin list --status=active | grep lucky-wheel-for-woocommercedisclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Lucky Wheel for WooCommerce plugin to version 1.1.14 or later. If upgrading is not immediately feasible, consider temporarily restricting access to the 'Conditional Tags' setting within the plugin's configuration. While not a complete solution, this can reduce the attack surface. Review server access logs for any suspicious activity related to the plugin. After upgrading, verify the fix by attempting to inject PHP code through the 'Conditional Tags' setting – the code should not be executed.
Aktualisieren Sie auf Version 1.1.14 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14509 is a vulnerability in the Lucky Wheel for WooCommerce plugin that allows authenticated administrators to execute arbitrary PHP code due to unsanitized user input.
You are affected if you are using Lucky Wheel for WooCommerce versions 1.0.0 through 1.1.13. Check your plugin versions immediately.
Upgrade the Lucky Wheel for WooCommerce plugin to version 1.1.14 or later. If immediate upgrade is not possible, restrict access to the 'Conditional Tags' setting.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and plugin popularity suggest a potential for exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.