{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14541", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-11T12:57:34.735Z", "datePublished": "2026-02-11T01:23:34.921Z", "dateUpdated": "2026-04-08T17:14:46.577Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:46.577Z"}, "affected": [{"vendor": "villatheme", "product": "Lucky Wheel Giveaway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "title": "Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac0455a2-1fa8-4a37-a72f-9ed5cca1d9ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439141/wp-lucky-wheel/trunk"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Truong"}], "timeline": [{"time": "2025-12-08T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-11T13:13:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-10T11:56:58.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:40:35.381347Z", "id": "CVE-2025-14541", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:45:26.400Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14541", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T15:40:35.381347Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:40:36.145Z"}}], "cna": {"title": "Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Truong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "villatheme", "product": "Lucky Wheel Giveaway", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-08T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-11T13:13:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-10T11:56:58.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac0455a2-1fa8-4a37-a72f-9ed5cca1d9ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439141/wp-lucky-wheel/trunk"}], "descriptions": [{"lang": "en", "value": "The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:46.577Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14541", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:46.577Z", "dateReserved": "2025-12-11T12:57:34.735Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-11T01:23:34.921Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}, {"lang": "es", "value": "El plugin Lucky Wheel Giveaway para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 1.0.22, inclusive, a trav\u00e9s del par\u00e1metro conditional_tags. Esto se debe a que el plugin utiliza la funci\u00f3n eval() de PHP en entradas controladas por el usuario sin una validaci\u00f3n o saneamiento adecuados. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, ejecuten c\u00f3digo en el servidor."}], "id": "CVE-2025-14541", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-11T02:15:57.887", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3439141/wp-lucky-wheel/trunk"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac0455a2-1fa8-4a37-a72f-9ed5cca1d9ee?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.22]"}}], "product": "lucky_wheel_giveaway", "vendor": "villatheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-20T20:55:06.027844+00:00", "value": {"mitigation_remediation": ["Upgrade Lucky Wheel Giveaway to the latest release that removes the eval usage on conditional_tags.", "If an immediate upgrade is not possible, lock down or remove Administrator-level access to the conditional_tags feature by adjusting WordPress capabilities or disabling the plugin temporarily.", "Implement monitoring for unexpected PHP execution patterns and consider applying a web application firewall rule to block attempts that trigger eval processing."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Lucky Wheel Giveaway WordPress plugin released by Villatheme. Versions up to and including 1.0.22 are susceptible. Only users with Administrator\u2011level or higher WordPress privileges can exploit the flaw because the conditional_tags parameter is only accessible to authenticated administrators. Other users or unauthenticated visitors cannot trigger the vulnerability directly.", "description_and_impact": "The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 1.0.22 through the unconditional use of PHP's eval() function on data supplied via the conditional_tags parameter. Because the code does not perform any validation or sanitization on this user-controlled input, an attacker who can provide values for that parameter can inject and run arbitrary PHP code on the host. The vulnerability carries the CWE\u201194 label, indicating an untrusted code inclusion flaw. It can compromise the confidentiality, integrity, and availability of the web server and any data it hosts.", "risk_and_exploitability": "The CVSS v3 base score of 7.2 reflects a high severity. The EPSS score is less than 1\u202f%, indicating a low but non\u2011zero likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to compromise or use legitimate administrator credentials; once authenticated, the attacker can craft a payload for the conditional_tags parameter to execute arbitrary code. The attack vector is likely indirect, requiring administrative access to the WordPress backend or API. The overall risk is moderate to high, especially for sites with a large administrative user base or weak credential management."}}}}, "created": "2026-02-11T21:46:14.278836+00:00", "updated": "2026-04-20T21:00:12.964300+00:00", "vendors": ["villatheme", "villatheme$PRODUCT$lucky_wheel_giveaway", "wordpress", "wordpress$PRODUCT$wordpress"]}