Platform
wordpress
Component
wp-lucky-wheel
Fixed in
1.0.23
CVE-2025-14541 is a Remote Code Execution (RCE) vulnerability affecting the Lucky Wheel Giveaway WordPress plugin. This vulnerability allows authenticated attackers, specifically those with administrator-level access, to execute arbitrary code on the server. The vulnerability exists in versions 1.0.0 through 1.0.22 and has been resolved in version 1.0.23. Promptly update to the patched version to mitigate this risk.
The impact of this vulnerability is significant. Successful exploitation allows an attacker with administrator privileges to completely compromise the WordPress instance. This could lead to data theft, website defacement, malware installation, and complete system takeover. The use of eval() on unsanitized user input is a critical security flaw, enabling attackers to inject and execute malicious PHP code. Given the plugin's functionality (giveaways), attackers could potentially leverage this to distribute malware to users participating in the giveaways, expanding the blast radius beyond the initial WordPress installation.
This vulnerability was publicly disclosed on 2026-02-11. The use of eval() without proper sanitization is a common vulnerability pattern, and similar flaws have been exploited in the past. There is currently no indication of active exploitation campaigns targeting this specific vulnerability, but the availability of a public CVE and the ease of exploitation increase the likelihood of future attacks. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Lucky Wheel Giveaway plugin to version 1.0.23 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, a Web Application Firewall (WAF) configured to block requests containing suspicious payloads in the conditional_tags parameter could offer some protection. Monitor WordPress access logs for unusual activity, particularly requests containing PHP code snippets. Review user roles and permissions to ensure only authorized users have administrator access.
Update to version 1.0.23, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14541 is a Remote Code Execution vulnerability in the Lucky Wheel Giveaway WordPress plugin, allowing attackers with admin access to execute code. It affects versions 1.0.0–1.0.22.
You are affected if you are using the Lucky Wheel Giveaway plugin in versions 1.0.0 through 1.0.22. Check your plugin versions immediately.
Upgrade the Lucky Wheel Giveaway plugin to version 1.0.23 or later. If immediate upgrade is not possible, disable the plugin temporarily.
There is currently no confirmed active exploitation, but the vulnerability is publicly known and could be targeted in the future.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.