CVE-2025-14509: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme Lucky Wheel for WooCommerce – Spin a Sale
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
CVE-2025-14509: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme Lucky Wheel for WooCommerce – Spin a Sale
Description
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-11T02:09:49.371Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6953b7f671a94549f1bea5bf
Added to database: 12/30/2025, 11:31:02 AM
Last updated: 12/30/2025, 11:31:21 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15245: Path Traversal in D-Link DCS-850L
MediumCVE-2025-69093: Missing Authorization in wpdesk ShopMagic
UnknownCVE-2025-69092: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WPDeveloper Essential Addons for Elementor
UnknownCVE-2025-69091: Missing Authorization in Kraft Plugins Demo Importer Plus
UnknownCVE-2025-69089: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in autolistings Auto Listings
UnknownActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.