What the vulnerability does
01Description
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
Explanation of Vulnerability in Simple Terms
02Summary
Spin Wheel versions 2.1.0 and earlier contain an integrity vulnerability that allows network-based modification of data without authentication. The vulnerability requires no user interaction and affects the application's data integrity. Site administrators should update to a version newer than 2.1.0 to remediate this issue.
What an attacker can do
03Attacker Capabilities
Modify application data or settings without authentication.
Potential impact on your site
04Site Impact
Attackers can alter coupon data, wheel settings, or other application state without logging in.
Conditions required to exploit
05Prerequisites
Network access to the affected site; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 17, 2026
CVE published
April 8, 2026
Record updated