CVE-2026-0808 - Spin Wheel <= 2.1.0 - unauthenticated client-side prize manipulation via 'prize_i...

CVE ID : CVE-2026-0808 Published : Jan. 17, 2026, 7:16 a.m. | 1 hour, 13 minutes ago Description : The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...