What the vulnerability does
01Description
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Explanation of Vulnerability in Simple Terms
02Summary
The Lucky Wheel for WooCommerce plugin contains a code injection vulnerability affecting versions up to 1.1.13. An authenticated administrator can inject and execute arbitrary PHP code on the site. This allows complete control over the WordPress installation, including data theft, malware installation, and site defacement. Update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full site privileges.
Potential impact on your site
04Site Impact
A compromised admin account can execute malicious code, steal data, install backdoors, or take the site offline.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access to WordPress.
Key dates
06Disclosure timeline
December 30, 2025
CVE published
April 8, 2026
Record updated