CVE-2026-0808 – WordPress Spin Wheel Plugin Prize Manipulation Vulnerability

Vulnerability

A vulnerability exists in the Spin Wheel plugin for WordPress, allowing for client-side manipulation of prize selections. This issue is present in all versions through 2.1.0. The vulnerability arises because the plugin does not validate or randomize prize selection data from users, enabling unauthenticated attackers to alter the 'prize_index' parameter and consistently choose the most valuable prizes.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of prize selections, potentially leading to unfair advantages in contests or giveaways.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to the server with a modified 'prize_index' parameter. This can be done using browser developer tools or a tool like Postman. The server will process the request and award the prize corresponding to the selected index, without any validation or randomization.

Remediation

Users are advised to update the Spin Wheel plugin to version 2.1.1 or later.

Added: Jan 17, 2026, 7:19 AM

Updated: Jan 17, 2026, 7:19 AM

Affected Products

No known affected products were detected.

CVSS Scores

volerion

8.2

CVSS 4.0

8.2

High

volerion

5.9

CVSS 3.1

5.9

Medium

Vendor

5.3

CVSS 3.1

5.3

Medium

Click a row to open the calculator.

References

https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73

Broken LinkSource CodeVendor

https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73

Source CodeVendor

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail=

Source CodeVendor

https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve

AdvisoryRemedy

Showing 1-4 of 4 references

WordPress Spin Wheel Plugin Prize Manipulation Vulnerability