What the vulnerability does
01Description
The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Explanation of Vulnerability in Simple Terms
02Summary
Lucky Wheel Giveaway versions up to 1.0.22 contain a code injection vulnerability that allows high-privilege users to execute arbitrary PHP code on the site. An attacker with administrative or equivalent access can inject malicious code through unfiltered input, compromising the entire site. Update to a version newer than 1.0.22 immediately.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full server privileges.
Potential impact on your site
04Site Impact
A compromised admin account can execute code, steal data, modify content, or take the site offline.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative access to the site.
Key dates
06Disclosure timeline
February 11, 2026
CVE published
April 8, 2026
Record updated