CVE-2025-14541
Awaiting Analysis Awaiting Analysis - Queue

BaseFortify

Vulnerability report for CVE-2025-14541, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-11

Last updated on: 2026-02-11

Assigner: Wordfence

Description

The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-11
Last Modified
2026-02-11
Generated
2026-07-06
AI Q&A
2026-02-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Lucky Wheel Giveaway plugin for WordPress has a vulnerability that allows Remote Code Execution (RCE) in all versions up to and including 1.0.22. This happens because the plugin uses PHP's eval() function on user-controlled input from the conditional_tags parameter without proper validation or sanitization.

As a result, authenticated attackers with Administrator-level access or higher can execute arbitrary code on the server, potentially taking full control of the affected system.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with administrator privileges to execute arbitrary code on the server hosting the WordPress site.

  • Attackers could modify or delete website data.
  • They could install malware or backdoors to maintain persistent access.
  • It could lead to full server compromise, affecting other sites or services on the same server.
  • The integrity, confidentiality, and availability of the website and its data could be severely impacted.
Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the Lucky Wheel Giveaway WordPress plugin versions up to 1.0.22, where the conditional_tags parameter is improperly sanitized before being passed to PHP's eval() function. Detection involves identifying if this vulnerable plugin version is installed and if there is suspicious usage of the conditional_tags parameter.

To detect exploitation attempts or presence of the vulnerable plugin, you can:

  • Check the WordPress plugins directory for the Lucky Wheel Giveaway plugin version (<= 1.0.22). For example, on the server, run: `grep -r 'wp-lucky-wheel' wp-content/plugins/` and check the plugin version in its main plugin file.
  • Monitor web server logs for HTTP requests containing suspicious payloads in the conditional_tags parameter, which might include PHP code or unusual characters.
  • Use command-line tools like `grep` or `awk` on access logs to find requests with 'conditional_tags' parameter, e.g.: `grep 'conditional_tags=' /var/log/apache2/access.log`.
  • Look for authenticated administrator activity combined with suspicious POST or GET requests targeting the plugin endpoints.
Mitigation Strategies

The primary mitigation is to update the Lucky Wheel Giveaway plugin to version 1.0.23 or later, where input validation for the conditional_tags parameter has been enhanced to prevent unsafe characters and code execution.

Additional immediate steps include:

  • Restrict administrator access to trusted users only, as exploitation requires authenticated administrator-level access.
  • If updating immediately is not possible, consider disabling or removing the vulnerable plugin until the update can be applied.
  • Monitor logs for suspicious activity related to the conditional_tags parameter and respond accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart