PHP Code Injection Vulnerability in Lucky Wheel for WooCommerce by Lucky Wheel
CVE-2025-14509

7.2HIGH

Key Information:

Vendor: WordPress
Status: Lucky Wheel For WooCommerce – Spin A Sale
Vendor: CVE Published:; 30 December 2025

What is CVE-2025-14509?

The Lucky Wheel for WooCommerce plugin is susceptible to PHP code injection due to improper handling of user-supplied input within the 'Conditional Tags' setting. The use of the eval() function without adequate validation or sanitization allows authenticated users with Administrator privileges to execute arbitrary PHP code on the server. This vulnerability poses a significant risk, particularly in multisite installations where Site Administrators can exploit this flaw to gain unauthorized access and manipulate the site's functionality.

Affected Version(s)

Lucky Wheel for WooCommerce – Spin a Sale 0 <= 1.1.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woo-lucky-whee...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 30, 2025
Vulnerability Reserved
Dec 11, 2025

Credit

Nguyen Truong

CVE-2025-14509 Data

JSON

WordPress

What is CVE-2025-14509?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit