Platform
wordpress
Component
woo-lucky-wheel
Fixed in
1.1.14
CVE-2025-14509 describes a PHP Code Injection vulnerability present in the Lucky Wheel for WooCommerce plugin for WordPress. This vulnerability allows authenticated attackers with administrator privileges to execute arbitrary PHP code on the server. The issue affects versions 1.0.0 through 1.1.13, and a patch is available in version 1.1.14.
The vulnerability stems from the plugin's use of eval() on unsanitized user input from the 'Conditional Tags' setting. Successful exploitation allows an attacker to execute arbitrary PHP code with the privileges of the web server user. This could lead to complete server compromise, including data exfiltration, malware installation, and denial of service. In WordPress multisite environments, Site Administrators can leverage this vulnerability to execute code, bypassing intended restrictions and potentially impacting multiple sites.
This vulnerability was publicly disclosed on 2025-12-30. While no public exploits have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for active exploitation. The use of eval() with unsanitized user input is a common vulnerability pattern, increasing the likelihood of automated scanning and exploitation attempts. No KEV listing is currently available.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Lucky Wheel for WooCommerce plugin to version 1.1.14 or later. If upgrading is not immediately feasible, consider temporarily restricting access to the 'Conditional Tags' setting within the plugin's configuration. While not a complete solution, this can reduce the attack surface. Review server access logs for any suspicious activity related to the plugin. After upgrading, verify the fix by attempting to inject PHP code through the 'Conditional Tags' setting – the code should not be executed.
Update to version 1.1.14, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14509 is a vulnerability in the Lucky Wheel for WooCommerce plugin that allows authenticated administrators to execute arbitrary PHP code due to unsanitized user input.
You are affected if you are using Lucky Wheel for WooCommerce versions 1.0.0 through 1.1.13. Check your plugin versions immediately.
Upgrade the Lucky Wheel for WooCommerce plugin to version 1.1.14 or later. If immediate upgrade is not possible, restrict access to the 'Conditional Tags' setting.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and plugin popularity suggest a potential for exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.