CVE-2025-14509
Unknown Unknown - Not Provided
PHP Code Injection in Lucky Wheel WooCommerce Plugin Allows Admin RCE

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: Wordfence

Description
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14509
EUVD
EUVD-2025-205769
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress wordpress *
wordfence woo_lucky_wheel 1.1.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress allows authenticated attackers with Administrator-level access (or Site Administrators in multisite setups) to execute arbitrary PHP code on the server. This happens because the plugin uses the eval() function to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization, enabling PHP code injection.

Impact Analysis

This vulnerability can lead to severe impacts including full compromise of the affected server. An attacker with Administrator or Site Administrator privileges can execute arbitrary PHP code, potentially leading to data theft, data loss, unauthorized access, defacement, or complete control over the WordPress site and its underlying server.

Detection Guidance

This vulnerability involves PHP code injection via the 'Conditional Tags' setting in the Woo Lucky Wheel plugin versions up to 1.1.13. Detection can focus on identifying if the vulnerable plugin version is installed and monitoring for suspicious PHP code execution or changes in the 'Conditional Tags' setting. Since the vulnerability requires authenticated Administrator-level access, checking plugin version and configuration is key. Specific commands to detect the vulnerable plugin version include: 1. On the server, check the plugin version by inspecting the plugin's main file header or changelog, e.g., `grep 'Version' wp-content/plugins/woo-lucky-wheel/woocommerce-lucky-wheel.php` or `cat wp-content/plugins/woo-lucky-wheel/changelog.txt`. 2. Search for usage of eval() in the plugin files: `grep -r --include='*.php' 'eval(' wp-content/plugins/woo-lucky-wheel/`. 3. Review WordPress admin settings for suspicious or unexpected PHP code in the 'Conditional Tags' setting of the plugin. 4. Monitor web server logs for unusual POST requests or admin actions related to the plugin settings. 5. Use WordPress CLI to list plugin versions: `wp plugin list | grep woo-lucky-wheel`. These steps help detect presence and potential exploitation attempts of the vulnerability. [3]

Mitigation Strategies

The immediate mitigation step is to update the Woo Lucky Wheel plugin to version 1.1.14 or later, as this version includes compatibility updates and likely fixes related to the vulnerability. Additionally, restrict Administrator-level access to trusted users only, and review the 'Conditional Tags' settings to ensure no malicious PHP code is present. If updating immediately is not possible, consider disabling the plugin temporarily to prevent exploitation. Regularly monitor and audit plugin settings and user activities to detect any unauthorized changes. [1]

Compliance Impact

The vulnerability allows authenticated attackers with Administrator-level access to execute arbitrary PHP code on the server, which could lead to unauthorized access, data breaches, or manipulation of sensitive data. Such security breaches can compromise the confidentiality, integrity, and availability of personal or protected health information, thereby negatively impacting compliance with standards and regulations like GDPR and HIPAA that require strict protection of sensitive data and secure system operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart