Plateforme
wordpress
Composant
holiday-class-post-calendar
Corrigé dans
7.1.1
CVE-2025-12813 describes a critical Remote Code Execution (RCE) vulnerability discovered in the Holiday class post calendar plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 7.1, and a fix is available in version 7.2.
The impact of this vulnerability is severe. An attacker can leverage the lack of sanitization in the 'contents' parameter to inject and execute malicious code directly on the WordPress server. This could lead to complete server compromise, including data theft, modification, or deletion. Attackers could also use the compromised server to launch further attacks against other systems on the network, significantly expanding the blast radius. The ease of exploitation, requiring no authentication, makes this a high-priority risk.
This vulnerability is considered highly exploitable due to its ease of access and the potential for complete system compromise. While no public exploits have been widely reported at the time of writing, the lack of authentication required significantly increases the likelihood of exploitation. The vulnerability was publicly disclosed on 2025-11-11 and added to the CISA KEV catalog, indicating a heightened risk of exploitation.
WordPress websites utilizing the Holiday class post calendar plugin, particularly those running older, unpatched versions (0.0.0–7.1), are at significant risk. Shared hosting environments are particularly vulnerable as they often lack granular control over plugin updates and security configurations. Sites with limited security monitoring or those relying solely on automatic updates are also at increased risk.
• wordpress / composer / npm:
grep -r 'contents' /var/www/html/wp-content/plugins/holiday-class-post-calendar/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/holiday-class-post-calendar/?contents=<script>alert('XSS')</script>• wordpress / composer / npm:
wp plugin list | grep 'holiday-class-post-calendar'• wordpress / composer / npm:
wp plugin update holiday-class-post-calendardisclosure
patch
kev
Statut de l'Exploit
EPSS
0.45% (percentile 63%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Holiday class post calendar plugin to version 7.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious input in the 'contents' parameter. Carefully review WordPress access logs for any unusual activity related to the plugin, specifically looking for attempts to inject code.
Update to version 7.2, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12813 is a critical RCE vulnerability in the Holiday class post calendar WordPress plugin, allowing attackers to execute code via the 'contents' parameter due to insufficient sanitization.
You are affected if your WordPress site uses the Holiday class post calendar plugin in versions 0.0.0 through 7.1. Upgrade to 7.2 to resolve the issue.
Upgrade the Holiday class post calendar plugin to version 7.2 or later. If immediate upgrade is not possible, disable the plugin or implement a WAF rule to block malicious input.
While no widespread exploitation has been confirmed, the vulnerability's ease of access and lack of authentication make it a high-risk target for potential exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.