Plataforma
wordpress
Componente
woo-lucky-wheel
Corrigido em
1.1.14
CVE-2025-14509 describes a PHP Code Injection vulnerability present in the Lucky Wheel for WooCommerce plugin for WordPress. This vulnerability allows authenticated attackers with administrator privileges to execute arbitrary PHP code on the server. The issue affects versions 1.0.0 through 1.1.13, and a patch is available in version 1.1.14.
The vulnerability stems from the plugin's use of eval() on unsanitized user input from the 'Conditional Tags' setting. Successful exploitation allows an attacker to execute arbitrary PHP code with the privileges of the web server user. This could lead to complete server compromise, including data exfiltration, malware installation, and denial of service. In WordPress multisite environments, Site Administrators can leverage this vulnerability to execute code, bypassing intended restrictions and potentially impacting multiple sites.
This vulnerability was publicly disclosed on 2025-12-30. While no public exploits have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for active exploitation. The use of eval() with unsanitized user input is a common vulnerability pattern, increasing the likelihood of automated scanning and exploitation attempts. No KEV listing is currently available.
WordPress websites utilizing the Lucky Wheel for WooCommerce plugin, particularly those with administrator accounts that have not been secured with strong passwords or multi-factor authentication, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'eval($_POST["conditional_tags"]' /var/www/wordpress/wp-content/plugins/lucky-wheel-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=lucky_wheel_conditional_tags&conditional_tags=system("whoami")• wordpress / composer / npm:
wp plugin list --status=active | grep lucky-wheel-for-woocommercedisclosure
Status do Exploit
EPSS
0.10% (percentil 28%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the Lucky Wheel for WooCommerce plugin to version 1.1.14 or later. If upgrading is not immediately feasible, consider temporarily restricting access to the 'Conditional Tags' setting within the plugin's configuration. While not a complete solution, this can reduce the attack surface. Review server access logs for any suspicious activity related to the plugin. After upgrading, verify the fix by attempting to inject PHP code through the 'Conditional Tags' setting – the code should not be executed.
Atualize para a versão 1.1.14, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-14509 is a vulnerability in the Lucky Wheel for WooCommerce plugin that allows authenticated administrators to execute arbitrary PHP code due to unsanitized user input.
You are affected if you are using Lucky Wheel for WooCommerce versions 1.0.0 through 1.1.13. Check your plugin versions immediately.
Upgrade the Lucky Wheel for WooCommerce plugin to version 1.1.14 or later. If immediate upgrade is not possible, restrict access to the 'Conditional Tags' setting.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and plugin popularity suggest a potential for exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.