Calendario de publicaciones de la clase Holiday <= 7.1 - Ejecución Remota de Código No Autenticada vía 'contents'
Plataforma
wordpress
Componente
holiday-class-post-calendar
Corregido en
7.1.1
CVE-2025-12813 describes a critical Remote Code Execution (RCE) vulnerability discovered in the Holiday class post calendar plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 7.1, and a fix is available in version 7.2.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Impacto y Escenarios de Ataquetraduciendo…
The impact of this vulnerability is severe. An attacker can leverage the lack of sanitization in the 'contents' parameter to inject and execute malicious code directly on the WordPress server. This could lead to complete server compromise, including data theft, modification, or deletion. Attackers could also use the compromised server to launch further attacks against other systems on the network, significantly expanding the blast radius. The ease of exploitation, requiring no authentication, makes this a high-priority risk.
Contexto de Explotacióntraduciendo…
This vulnerability is considered highly exploitable due to its ease of access and the potential for complete system compromise. While no public exploits have been widely reported at the time of writing, the lack of authentication required significantly increases the likelihood of exploitation. The vulnerability was publicly disclosed on 2025-11-11 and added to the CISA KEV catalog, indicating a heightened risk of exploitation.
Quién Está en Riesgotraduciendo…
WordPress websites utilizing the Holiday class post calendar plugin, particularly those running older, unpatched versions (0.0.0–7.1), are at significant risk. Shared hosting environments are particularly vulnerable as they often lack granular control over plugin updates and security configurations. Sites with limited security monitoring or those relying solely on automatic updates are also at increased risk.
Pasos de Deteccióntraduciendo…
• wordpress / composer / npm:
grep -r 'contents' /var/www/html/wp-content/plugins/holiday-class-post-calendar/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/holiday-class-post-calendar/?contents=<script>alert('XSS')</script>• wordpress / composer / npm:
wp plugin list | grep 'holiday-class-post-calendar'• wordpress / composer / npm:
wp plugin update holiday-class-post-calendarCronología del Ataque
- Disclosure
disclosure
- Patch
patch
- CISA KEV
kev
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.45% (63% percentil)
CISA SSVC
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
- Privileges Required
- Ninguno — sin autenticación. No se necesitan credenciales para explotar.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Sin cambio — el impacto se limita al componente vulnerable.
- Confidentiality
- Alto — pérdida total de confidencialidad. El atacante puede leer todos los datos.
- Integrity
- Alto — el atacante puede escribir, modificar o eliminar cualquier dato.
- Availability
- Alto — caída completa o agotamiento de recursos. Denegación de servicio total.
Software Afectado
Información del paquete
- Instalaciones activas
- 90
- Valoración del plugin
- 0.0
- Requiere WordPress
- 4.5+
- Compatible hasta
- 6.9.4
- Requiere PHP
- 7.0+
Clasificación de Debilidad (CWE)
Cronología
- Reservado
- Publicada
- Modificada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The primary mitigation is to immediately upgrade the Holiday class post calendar plugin to version 7.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious input in the 'contents' parameter. Carefully review WordPress access logs for any unusual activity related to the plugin, specifically looking for attempts to inject code.
Cómo corregirlo
Actualizar a la versión 7.2, o una versión parcheada más reciente
Boletín de seguridad CVE
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
Preguntas frecuentestraduciendo…
What is CVE-2025-12813 — Remote Code Execution in Holiday class post calendar?
CVE-2025-12813 is a critical RCE vulnerability in the Holiday class post calendar WordPress plugin, allowing attackers to execute code via the 'contents' parameter due to insufficient sanitization.
Am I affected by CVE-2025-12813 in Holiday class post calendar?
You are affected if your WordPress site uses the Holiday class post calendar plugin in versions 0.0.0 through 7.1. Upgrade to 7.2 to resolve the issue.
How do I fix CVE-2025-12813 in Holiday class post calendar?
Upgrade the Holiday class post calendar plugin to version 7.2 or later. If immediate upgrade is not possible, disable the plugin or implement a WAF rule to block malicious input.
Is CVE-2025-12813 being actively exploited?
While no widespread exploitation has been confirmed, the vulnerability's ease of access and lack of authentication make it a high-risk target for potential exploitation.
Where can I find the official Holiday class post calendar advisory for CVE-2025-12813?
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.