CVE-2026-0808 MEDIUM

CVE-2026-0808: Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter

Vendor Bdthemes
Product Spin Wheel – Interactive spinning wheel that offers coupons
Weakness CWE-602 · Client-side enforcement
Published January 17, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.

Explanation of Vulnerability in Simple Terms

02Summary

Spin Wheel versions 2.1.0 and earlier contain an integrity vulnerability that allows network-based modification of data without authentication. The vulnerability requires no user interaction and affects the application's data integrity. Site administrators should update to a version newer than 2.1.0 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Modify application data or settings without authentication.

Potential impact on your site

04Site Impact

Attackers can alter coupon data, wheel settings, or other application state without logging in.

Conditions required to exploit

05Prerequisites

Network access to the affected site; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 17, 2026 CVE published
April 8, 2026 Record updated