Primary

Context

Lucky Wheel Giveaway WordPress Plugin Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in the Lucky Wheel Giveaway plugin for WordPress, affecting all versions up to and including 1.0.22. The vulnerability arises from the plugin's use of PHP's eval() function to process user-controlled input via the conditional_tags parameter, without adequate validation or sanitization. This flaw allows authenticated attackers with Administrator-level access to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.

Remediation

Users can update to version 1.0.23 or a newer patched version to address this vulnerability.

Added: Feb 11, 2026, 2:37 AM

Updated: Feb 11, 2026, 2:37 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.5

remediation

0.0

relevance

2.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.5

remediation

0.0

relevance

2.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lucky Wheel Giveaway WordPress Plugin Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating