CVE-2025-14541 HIGH

CVE-2025-14541: Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter

Vendor Villatheme
Product Lucky Wheel Giveaway
Weakness CWE-94 · Code injection
Published February 11, 2026
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Explanation of Vulnerability in Simple Terms

02Summary

Lucky Wheel Giveaway versions up to 1.0.22 contain a code injection vulnerability that allows high-privilege users to execute arbitrary PHP code on the site. An attacker with administrative or equivalent access can inject malicious code through unfiltered input, compromising the entire site. Update to a version newer than 1.0.22 immediately.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full server privileges.

Potential impact on your site

04Site Impact

A compromised admin account can execute code, steal data, modify content, or take the site offline.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative access to the site.

Key dates

06Disclosure timeline

February 11, 2026 CVE published
April 8, 2026 Record updated