A high-severity vulnerability has been identified in the "Lucky Wheel for WooCommerce – Spin a Sale" WordPress plugin. This flaw allows an attacker to inject and execute malicious PHP code on the server, potentially leading to a complete website takeover, theft of sensitive customer data, and further attacks originating from the compromised server. Immediate patching is required to mitigate this significant security risk.

The plugin is vulnerable to PHP Code Injection due to improper sanitization of user-supplied input. An unauthenticated attacker can craft a special request to the web server that includes malicious PHP code. The vulnerable component of the plugin processes this input without validation, causing the server to execute the attacker's code with the privileges of the web server's user account. This could allow an attacker to read, write, or delete files, interact with the database, or establish a persistent backdoor on the server.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to a complete compromise of the web server hosting the WordPress site. The potential consequences include theft of sensitive data such as customer Personally Identifiable Information (PII) and payment details from WooCommerce, website defacement, and loss of customer trust. Furthermore, a compromised server could be used to host malware, send spam, or launch attacks against other systems, causing significant reputational damage and potential legal and financial liabilities.

Immediate Action: All administrators of WordPress sites using the "Lucky Wheel for WooCommerce – Spin a Sale" plugin must immediately update it to the latest version (greater than 1) where this vulnerability has been patched. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.

Proactive Monitoring: Security teams should monitor web server access logs for unusual POST or GET requests targeting the plugin's endpoints, particularly those containing suspicious strings or encoded payloads (e.g., eval, system, shell_exec, base64_decode). Monitor file systems for unexpected creation or modification of PHP files within the WordPress installation directory. Anomaly detection on outbound network traffic from the web server could also indicate a successful compromise.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP code injection attempts. Additionally, ensure web server file permissions are hardened to prevent the web user from writing to sensitive directories. Disabling potentially dangerous PHP functions (e.g., exec, passthru, shell_exec) in the php.ini configuration can also help limit the post-exploitation capabilities of an attacker.

Public Exploit Available: False

Given the high severity (CVSS 7.2) and the critical impact of a successful exploit, we strongly recommend that organizations treat this vulnerability with urgency. All instances of the "Lucky Wheel for WooCommerce – Spin a Sale" plugin must be identified and patched immediately. Although this CVE is not currently listed on the CISA KEV list, its nature makes it a prime candidate for future inclusion if widespread exploitation occurs. Prioritize remediation to prevent a potential server compromise, data breach, and subsequent business disruption.