CVE-2025-14509
PHP Code Injection in Lucky Wheel WooCommerce Plugin Allows Admin RCE
Publication date: 2025-12-30
Last updated on: 2025-12-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| wordfence | woo_lucky_wheel | 1.1.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Lucky Wheel for WooCommerce β Spin a Sale plugin for WordPress allows authenticated attackers with Administrator-level access (or Site Administrators in multisite setups) to execute arbitrary PHP code on the server. This happens because the plugin uses the eval() function to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization, enabling PHP code injection.
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including full compromise of the affected server. An attacker with Administrator or Site Administrator privileges can execute arbitrary PHP code, potentially leading to data theft, data loss, unauthorized access, defacement, or complete control over the WordPress site and its underlying server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves PHP code injection via the 'Conditional Tags' setting in the Woo Lucky Wheel plugin versions up to 1.1.13. Detection can focus on identifying if the vulnerable plugin version is installed and monitoring for suspicious PHP code execution or changes in the 'Conditional Tags' setting. Since the vulnerability requires authenticated Administrator-level access, checking plugin version and configuration is key. Specific commands to detect the vulnerable plugin version include: 1. On the server, check the plugin version by inspecting the plugin's main file header or changelog, e.g., `grep 'Version' wp-content/plugins/woo-lucky-wheel/woocommerce-lucky-wheel.php` or `cat wp-content/plugins/woo-lucky-wheel/changelog.txt`. 2. Search for usage of eval() in the plugin files: `grep -r --include='*.php' 'eval(' wp-content/plugins/woo-lucky-wheel/`. 3. Review WordPress admin settings for suspicious or unexpected PHP code in the 'Conditional Tags' setting of the plugin. 4. Monitor web server logs for unusual POST requests or admin actions related to the plugin settings. 5. Use WordPress CLI to list plugin versions: `wp plugin list | grep woo-lucky-wheel`. These steps help detect presence and potential exploitation attempts of the vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Woo Lucky Wheel plugin to version 1.1.14 or later, as this version includes compatibility updates and likely fixes related to the vulnerability. Additionally, restrict Administrator-level access to trusted users only, and review the 'Conditional Tags' settings to ensure no malicious PHP code is present. If updating immediately is not possible, consider disabling the plugin temporarily to prevent exploitation. Regularly monitor and audit plugin settings and user activities to detect any unauthorized changes. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Administrator-level access to execute arbitrary PHP code on the server, which could lead to unauthorized access, data breaches, or manipulation of sensitive data. Such security breaches can compromise the confidentiality, integrity, and availability of personal or protected health information, thereby negatively impacting compliance with standards and regulations like GDPR and HIPAA that require strict protection of sensitive data and secure system operations.