{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14509", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-11T02:09:49.371Z", "datePublished": "2025-12-30T11:14:25.111Z", "dateUpdated": "2026-04-08T17:11:00.919Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:00.919Z"}, "affected": [{"vendor": "villatheme", "product": "Lucky Wheel for WooCommerce \u2013 Spin a Sale", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Lucky Wheel for WooCommerce \u2013 Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments."}], "title": "Lucky Wheel for WooCommerce \u2013 Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a41bc0e-0ab9-4cee-b3ca-d730c828782c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/trunk/frontend/frontend.php#L127"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127"}, {"url": "https://plugins.trac.wordpress.org/changeset/3428063/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Truong"}], "timeline": [{"time": "2025-12-11T02:25:36.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-29T23:11:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-30T12:55:14.747048Z", "id": "CVE-2025-14509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T12:55:26.974Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-30T12:55:14.747048Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T12:55:22.637Z"}}], "cna": {"title": "Lucky Wheel for WooCommerce \u2013 Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Truong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "villatheme", "product": "Lucky Wheel for WooCommerce \u2013 Spin a Sale", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.13"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T02:25:36.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-29T23:11:45.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a41bc0e-0ab9-4cee-b3ca-d730c828782c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/trunk/frontend/frontend.php#L127"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127"}, {"url": "https://plugins.trac.wordpress.org/changeset/3428063/"}], "descriptions": [{"lang": "en", "value": "The Lucky Wheel for WooCommerce \u2013 Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-30T11:14:25.111Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14509", "state": "PUBLISHED", "dateUpdated": "2025-12-30T12:55:26.974Z", "dateReserved": "2025-12-11T02:09:49.371Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-30T11:14:25.111Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Lucky Wheel for WooCommerce \u2013 Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments."}], "id": "CVE-2025-14509", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-30T12:15:44.743", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/trunk/frontend/frontend.php#L127"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3428063/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a41bc0e-0ab9-4cee-b3ca-d730c828782c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:54:11.862068+00:00", "value": {"mitigation_remediation": ["Upgrade Lucky Wheel for WooCommerce \u2013 Spin a Sale to a version newer than 1.1.13 that removes the vulnerable eval usage.", "If an immediate upgrade is not possible, revoke the 'Conditional Tags' setting or disable the plugin until a patched version is available.", "Restrict administrator access to trusted users only and regularly review user roles to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Lucky Wheel for WooCommerce \u2013 Spin a Sale plugin up to and including version 1.1.13 are affected. All installations of this plugin on both single\u2011site and multisite environments where the plugin is enabled are at risk. Administrators or Super Admins with access to the plugin settings can exploit the flaw.", "description_and_impact": "The Lucky Wheel for WooCommerce \u2013 Spin a Sale plugin is vulnerable to PHP code injection caused by using eval() on unsanitized user input from the Conditional Tags setting. This flaw allows authenticated administrators to run arbitrary PHP code on the server, effectively compromising confidentiality, integrity, and availability of the site. The weakness is a classic code injection, classified as CWE-94.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score indicates the likelihood of exploit in the wild is lower than 1%, and the vulnerability is not listed in the CISA KEV catalog. Attackers must possess administrator\u2011level credentials, but once they do, invocation of the eval() construct enables remote code execution on the server, making this a critical security risk for vulnerable sites."}}}}, "created": "2026-01-05T12:25:22.397115+00:00", "updated": "2026-04-21T17:00:12.322959+00:00", "vendors": ["villatheme", "villatheme$PRODUCT$lucky_wheel_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}