{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0808", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-09T14:36:32.229Z", "datePublished": "2026-01-17T06:42:20.697Z", "dateUpdated": "2026-04-08T17:19:33.408Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:33.408Z"}, "affected": [{"vendor": "bdthemes", "product": "Spin Wheel \u2013 Interactive spinning wheel that offers coupons", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes."}], "title": "Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-602 Client-Side Enforcement of Server-Side Security", "cweId": "CWE-602", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "jason carle"}], "timeline": [{"time": "2026-01-09T14:51:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-16T18:09:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T18:27:06.693798Z", "id": "CVE-2026-0808", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:27:18.935Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0808", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T18:27:06.693798Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:27:10.330Z"}}], "cna": {"title": "Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "jason carle"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "bdthemes", "product": "Spin Wheel \u2013 Interactive spinning wheel that offers coupons", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-09T14:51:52.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-16T18:09:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602 Client-Side Enforcement of Server-Side Security"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-17T06:42:20.697Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0808", "state": "PUBLISHED", "dateUpdated": "2026-01-20T18:27:18.935Z", "dateReserved": "2026-01-09T14:36:32.229Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-17T06:42:20.697Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes."}, {"lang": "es", "value": "El plugin Spin Wheel para WordPress es vulnerable a la manipulaci\u00f3n de premios del lado del cliente en todas las versiones hasta la 2.1.0, inclusive. Esto se debe a que el plugin conf\u00eda en los datos de selecci\u00f3n de premios proporcionados por el cliente sin validaci\u00f3n o aleatorizaci\u00f3n del lado del servidor. Esto hace posible que atacantes no autenticados manipulen qu\u00e9 premio ganan modificando el par\u00e1metro 'prize_index' enviado al servidor, permiti\u00e9ndoles seleccionar siempre los premios m\u00e1s valiosos."}], "id": "CVE-2026-0808", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-17T07:16:02.123", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-602"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T18:04:30.699746+00:00", "value": {"mitigation_remediation": ["Upgrade the Spin Wheel plugin to the latest available version (greater than 2.1.0) to eliminate the client\u2011side parameter validation flaw.", "If upgrading is not immediately possible, restrict access to the AJAX endpoint by requiring authenticated requests or by implementing server\u2011side input validation to reject unauthorized 'prize_index' values.", "Monitor all WordPress installations for unexpected prize awards or anomalous user behavior that could indicate exploitation of this flaw."], "summary": {"action": "Update plugin", "impact": "Unauthenticated manipulation of prize selection leading to undeserved high\u2011value rewards"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Spin Wheel plugin from bdthemes, specifically versions 2.1.0 and earlier. Users who deploy these versions are susceptible to prize manipulation.", "description_and_impact": "The Spin Wheel WordPress plugin accepts a client\u2011supplied 'prize_index' parameter without applying any server\u2011side validation, representing a CWE\u2011602 weakness. A malicious user can modify this parameter and subsequently receive the most valuable prize, effectively circumventing the intended random reward mechanism. The vulnerability results in misuse of the plugin\u2019s functionality, granting attackers unintended benefits while compromising the fairness of the system.", "risk_and_exploitability": "With a CVSS score of 5.3, the vulnerability is considered moderate. The EPSS score of less than 1% implies a low probability of widespread exploitation, and the issue is not listed in the CISA KEV catalog. Exploitation requires only the ability to send HTTP requests to the plugin\u2019s AJAX endpoint, which is publicly accessible, so attackers can craft a request manipulating the 'prize_index' parameter with minimal effort."}}}}, "created": "2026-01-19T09:19:26.499388+00:00", "updated": "2026-04-16T18:15:43.290856+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}