WP-Safety

Lucky Wheel Giveaway Security & Risk Analysis

wordpress.org/plugins/wp-lucky-wheel

Collect customer's emails by spinning the lucky wheel game to get discount coupons.

600 active installs v1.0.23 PHP 7.0+ WP 5.0+ Updated Jan 14, 2026
fortune-wheelgiveawaylucky-wheelmailchimpwheelio
97
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 10, 2026
Download
Safety Verdict

Is Lucky Wheel Giveaway Safe to Use in 2026?

Generally Safe

Score 97/100

Lucky Wheel Giveaway has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 10, 2026Updated 2mo ago
Risk Assessment

The wp-lucky-wheel plugin v1.0.23 demonstrates a generally strong security posture in its static analysis, with all SQL queries using prepared statements and all output being properly escaped. The presence of 11 nonce checks and 5 capability checks further indicates an effort to secure its functionalities. However, a notable concern arises from the static analysis revealing one unprotected REST API route. This unprotected entry point, despite its low count within the overall attack surface, represents a direct pathway for unauthorized access or manipulation if not properly secured at the application level.

The vulnerability history is also a mixed bag. While there are no currently unpatched CVEs, the plugin does have one past high-severity vulnerability of the 'Code Injection' type. This historical incident is concerning as it suggests the potential for severe security flaws in the past, even if addressed. The taint analysis shows two flows with unsanitized paths, although these are not classified as critical or high severity. This, combined with the single unprotected REST API endpoint, indicates areas for improvement in input validation and access control.

In conclusion, wp-lucky-wheel v1.0.23 benefits from good practices in data handling and output sanitization. The absence of dangerous functions and its use of prepared statements are positive indicators. However, the single unprotected REST API route is a significant weakness that must be addressed. The history of a high-severity code injection vulnerability, even if patched, warrants continued vigilance. The two unsanitized path flows in the taint analysis also suggest that while severe issues may not be present in this version, further scrutiny of input handling could be beneficial.

Key Concerns

  • Unprotected REST API route
  • Past high severity 'Code Injection' vulnerability
  • Flows with unsanitized paths (not critical/high)
Vulnerabilities
1

Lucky Wheel Giveaway Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2025-14541high · 7.2Improper Control of Generation of Code ('Code Injection')

Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter

Feb 10, 2026 Patched in 1.0.23 (1d)
Code Analysis
Analyzed Mar 16, 2026

Lucky Wheel Giveaway Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
516 escaped
Nonce Checks
11
Capability Checks
5
File Operations
1
External Requests
2
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

100% escaped518 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths
get_email (frontend\frontend.php:613)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Lucky Wheel Giveaway Attack Surface

Entry Points4
Unprotected1

AJAX Handlers 3

authwp_ajax_wplwl_preview_emailsadmin\settings.php:19
authwp_ajax_wplwl_get_emailfrontend\frontend.php:18
noprivwp_ajax_wplwl_get_emailfrontend\frontend.php:19

REST API Routes 1

POST/wp-json/wordpress_lucky_wheel/spinfrontend\frontend.php:507
WordPress Hooks 37
actionadmin_initadmin\settings.php:13
actionadmin_initadmin\settings.php:14
actionadmin_menuadmin\settings.php:15
actionadmin_enqueue_scriptsadmin\settings.php:16
actionmedia_buttonsadmin\settings.php:17
actionadmin_footeradmin\settings.php:18
actionwp_enqueue_scriptsfrontend\frontend.php:16
actionrest_api_initfrontend\frontend.php:21
filterwp_mail_fromfrontend\frontend.php:54
filterwp_mail_from_namefrontend\frontend.php:57
filterwp_mail_content_typefrontend\frontend.php:59
actionwp_footerfrontend\frontend.php:500
actionadmin_enqueue_scriptsincludes\support.php:32
actionadmin_noticesincludes\support.php:33
actionadmin_initincludes\support.php:34
actionadmin_menuincludes\support.php:35
filterplugin_row_metaincludes\support.php:37
actionadmin_initincludes\support.php:39
actionadmin_bar_menuincludes\support.php:41
actionadmin_noticesincludes\support.php:52
actionadmin_footerincludes\support.php:669
actionadmin_bar_menuincludes\support.php:807
actionadmin_noticesincludes\support.php:953
filterwplwl_update_settings_argsplugins\9mail.php:15
actionwplwl_wheel_settings_slices_columnplugins\9mail.php:16
actionwplwl_wheel_settings_slices_column_contentplugins\9mail.php:17
filteremtmpl_register_email_typeplugins\9mail.php:19
filteremtmpl_sample_subjectsplugins\9mail.php:20
filteremtmpl_sample_templatesplugins\9mail.php:21
filteremtmpl_shortcode_for_editorplugins\9mail.php:22
actionplugins_loadedwp-lucky-wheel.php:32
actioninitwp-lucky-wheel.php:52
actioninitwp-lucky-wheel.php:53
actionadd_meta_boxeswp-lucky-wheel.php:54
filtermanage_wplwl_email_posts_columnswp-lucky-wheel.php:55
actionmanage_wplwl_email_posts_custom_columnwp-lucky-wheel.php:56
filterplugin_action_links_wp-lucky-wheel/wp-lucky-wheel.phpwp-lucky-wheel.php:57
Maintenance & Trust

Lucky Wheel Giveaway Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 14, 2026
PHP min version7.0
Downloads40K

Community Trust

Rating78/100
Number of ratings8
Active installs600
Alternatives

Lucky Wheel Giveaway Alternatives

Lucky Wheel for WooCommerce – Spin a Sale

Lucky Wheel for WooCommerce – Spin a Sale

woo-lucky-wheel

A
96

Engage customers with a fun spin-the-wheel game! Collect emails and reward them with discount coupons instantly.

1K 2 CVEs
Spin Wheel – Interactive spinning wheel that offers coupons

Spin Wheel – Interactive spinning wheel that offers coupons

spin-wheel

A
99

The Spin Wheel plugin allows you to engage your visitors with an interactive spinning wheel that offers coupons and other rewards.

500 1 CVE
Giveaway Lottery for WooCommerce

Giveaway Lottery for WooCommerce

giveaway-lottery

A
100

Sell tickets, run giveaways, raffles, lotteries, and lucky draws in WooCommerce to boost engagement, sales, and customer loyalty.

200 No CVEs
Lucky Wheel Exit Intent Pop Up, Upsell Pop Up – Rafflys

Lucky Wheel Exit Intent Pop Up, Upsell Pop Up – Rafflys

rafflys-lucky-wheel

A
85

Increase your email opt-in rates and conversions with our fully customizable, exit intent popup, Lucky Wheel.

20 No CVEs
MC4WP: Mailchimp for WordPress

MC4WP: Mailchimp for WordPress

mailchimp-for-wp

A
92

The #1 Mailchimp plugin for WordPress. Allows you to add a multitude of newsletter sign-up methods to your site.

1.0M 11 CVEs
Developer Profile

Lucky Wheel Giveaway Developer Profile

VillaTheme

58 plugins · 167K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
214 days
View full developer profile
Detection Fingerprints

How We Detect Lucky Wheel Giveaway

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-lucky-wheel/includes/support.php/wp-content/plugins/wp-lucky-wheel/includes/includes.php
Version Parameters
wp-lucky-wheel/wp-lucky-wheel.php?ver=

HTML / DOM Fingerprints

CSS Classes
vi-ui
Data Attributes
data-wplwl_iddata-wplwl_noncedata-wplwl_spindata-wplwl_wheel_configdata-wplwl_wheel_settingsdata-wplwl_winners
JS Globals
wp_lucky_wheel_frontend_params
REST Endpoints
/wp-json/wp-lucky-wheel/v1/spin/wp-json/wp-lucky-wheel/v1/collect/wp-json/wp-lucky-wheel/v1/claim
Shortcode Output
[lucky-wheel][lucky-wheel id=][lucky-wheel url=]
FAQ

Frequently Asked Questions about Lucky Wheel Giveaway