CVE-2026-0808 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trust…
Medium CVSS: 5.3

CVE-2026-0808

The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
Vendor
-
Product
-
CWE
CWE-602
Yayın Tarihi
2026-01-17 07:16:02
Güncelleme
2026-01-26 15:05:39
Source Identifier
security@wordfence.com
KEV Date Added
-

Kategoriler

CWE-602 MEDIUM 2026

Referanslar

https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve