Medium severity5.3NVD Advisory· Published Jan 17, 2026· Updated Apr 15, 2026
CVE-2026-0808
CVE-2026-0808
Description
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=2.1.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.