Plataforma
wordpress
Componente
holiday-class-post-calendar
Corregido en
7.1.1
CVE-2025-12813 describes a critical Remote Code Execution (RCE) vulnerability discovered in the Holiday class post calendar plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 7.1, and a fix is available in version 7.2.
The impact of this vulnerability is severe. An attacker can leverage the lack of sanitization in the 'contents' parameter to inject and execute malicious code directly on the WordPress server. This could lead to complete server compromise, including data theft, modification, or deletion. Attackers could also use the compromised server to launch further attacks against other systems on the network, significantly expanding the blast radius. The ease of exploitation, requiring no authentication, makes this a high-priority risk.
This vulnerability is considered highly exploitable due to its ease of access and the potential for complete system compromise. While no public exploits have been widely reported at the time of writing, the lack of authentication required significantly increases the likelihood of exploitation. The vulnerability was publicly disclosed on 2025-11-11 and added to the CISA KEV catalog, indicating a heightened risk of exploitation.
WordPress websites utilizing the Holiday class post calendar plugin, particularly those running older, unpatched versions (0.0.0–7.1), are at significant risk. Shared hosting environments are particularly vulnerable as they often lack granular control over plugin updates and security configurations. Sites with limited security monitoring or those relying solely on automatic updates are also at increased risk.
• wordpress / composer / npm:
grep -r 'contents' /var/www/html/wp-content/plugins/holiday-class-post-calendar/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/holiday-class-post-calendar/?contents=<script>alert('XSS')</script>• wordpress / composer / npm:
wp plugin list | grep 'holiday-class-post-calendar'• wordpress / composer / npm:
wp plugin update holiday-class-post-calendardisclosure
patch
kev
Estado del Exploit
EPSS
0.45% (63% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to immediately upgrade the Holiday class post calendar plugin to version 7.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious input in the 'contents' parameter. Carefully review WordPress access logs for any unusual activity related to the plugin, specifically looking for attempts to inject code.
Actualizar a la versión 7.2, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-12813 is a critical RCE vulnerability in the Holiday class post calendar WordPress plugin, allowing attackers to execute code via the 'contents' parameter due to insufficient sanitization.
You are affected if your WordPress site uses the Holiday class post calendar plugin in versions 0.0.0 through 7.1. Upgrade to 7.2 to resolve the issue.
Upgrade the Holiday class post calendar plugin to version 7.2 or later. If immediate upgrade is not possible, disable the plugin or implement a WAF rule to block malicious input.
While no widespread exploitation has been confirmed, the vulnerability's ease of access and lack of authentication make it a high-risk target for potential exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.