Plateforme
wordpress
Composant
wp-lucky-wheel
Corrigé dans
1.0.23
CVE-2025-14541 is a Remote Code Execution (RCE) vulnerability affecting the Lucky Wheel Giveaway WordPress plugin. This vulnerability allows authenticated attackers, specifically those with administrator-level access, to execute arbitrary code on the server. The vulnerability exists in versions 1.0.0 through 1.0.22 and has been resolved in version 1.0.23. Promptly update to the patched version to mitigate this risk.
The impact of this vulnerability is significant. Successful exploitation allows an attacker with administrator privileges to completely compromise the WordPress instance. This could lead to data theft, website defacement, malware installation, and complete system takeover. The use of eval() on unsanitized user input is a critical security flaw, enabling attackers to inject and execute malicious PHP code. Given the plugin's functionality (giveaways), attackers could potentially leverage this to distribute malware to users participating in the giveaways, expanding the blast radius beyond the initial WordPress installation.
This vulnerability was publicly disclosed on 2026-02-11. The use of eval() without proper sanitization is a common vulnerability pattern, and similar flaws have been exploited in the past. There is currently no indication of active exploitation campaigns targeting this specific vulnerability, but the availability of a public CVE and the ease of exploitation increase the likelihood of future attacks. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Lucky Wheel Giveaway plugin, particularly those with administrator accounts that have not been secured with strong passwords and multi-factor authentication, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / plugin:
wp plugin list | grep "Lucky Wheel Giveaway"• wordpress / plugin: Check plugin version.
wp plugin list --status=active --format=json | jq '.["Lucky Wheel Giveaway"].version' • wordpress / plugin: Examine plugin files for eval() usage without sanitization. Use grep -r eval . within the plugin directory.
• generic web: Monitor access logs for requests containing suspicious PHP code in the conditional_tags parameter. Look for patterns resembling code injection attempts.
disclosure
Statut de l'Exploit
EPSS
0.38% (percentile 59%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Lucky Wheel Giveaway plugin to version 1.0.23 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, a Web Application Firewall (WAF) configured to block requests containing suspicious payloads in the conditional_tags parameter could offer some protection. Monitor WordPress access logs for unusual activity, particularly requests containing PHP code snippets. Review user roles and permissions to ensure only authorized users have administrator access.
Mettre à jour vers la version 1.0.23, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-14541 is a Remote Code Execution vulnerability in the Lucky Wheel Giveaway WordPress plugin, allowing attackers with admin access to execute code. It affects versions 1.0.0–1.0.22.
You are affected if you are using the Lucky Wheel Giveaway plugin in versions 1.0.0 through 1.0.22. Check your plugin versions immediately.
Upgrade the Lucky Wheel Giveaway plugin to version 1.0.23 or later. If immediate upgrade is not possible, disable the plugin temporarily.
There is currently no confirmed active exploitation, but the vulnerability is publicly known and could be targeted in the future.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.