CVE-2025-14541
BaseFortify
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Lucky Wheel Giveaway plugin for WordPress has a vulnerability that allows Remote Code Execution (RCE) in all versions up to and including 1.0.22. This happens because the plugin uses PHP's eval() function on user-controlled input from the conditional_tags parameter without proper validation or sanitization.
As a result, authenticated attackers with Administrator-level access or higher can execute arbitrary code on the server, potentially taking full control of the affected system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows attackers with administrator privileges to execute arbitrary code on the server hosting the WordPress site.
- Attackers could modify or delete website data.
- They could install malware or backdoors to maintain persistent access.
- It could lead to full server compromise, affecting other sites or services on the same server.
- The integrity, confidentiality, and availability of the website and its data could be severely impacted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Lucky Wheel Giveaway WordPress plugin versions up to 1.0.22, where the conditional_tags parameter is improperly sanitized before being passed to PHP's eval() function. Detection involves identifying if this vulnerable plugin version is installed and if there is suspicious usage of the conditional_tags parameter.
To detect exploitation attempts or presence of the vulnerable plugin, you can:
- Check the WordPress plugins directory for the Lucky Wheel Giveaway plugin version (<= 1.0.22). For example, on the server, run: `grep -r 'wp-lucky-wheel' wp-content/plugins/` and check the plugin version in its main plugin file.
- Monitor web server logs for HTTP requests containing suspicious payloads in the conditional_tags parameter, which might include PHP code or unusual characters.
- Use command-line tools like `grep` or `awk` on access logs to find requests with 'conditional_tags' parameter, e.g.: `grep 'conditional_tags=' /var/log/apache2/access.log`.
- Look for authenticated administrator activity combined with suspicious POST or GET requests targeting the plugin endpoints.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the Lucky Wheel Giveaway plugin to version 1.0.23 or later, where input validation for the conditional_tags parameter has been enhanced to prevent unsafe characters and code execution.
Additional immediate steps include:
- Restrict administrator access to trusted users only, as exploitation requires authenticated administrator-level access.
- If updating immediately is not possible, consider disabling or removing the vulnerable plugin until the update can be applied.
- Monitor logs for suspicious activity related to the conditional_tags parameter and respond accordingly.