無料スキャン
CRITICALCVE-2025-12813CVSS 9.8

Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'

翻訳中…

プラットフォーム

wordpress

コンポーネント

holiday-class-post-calendar

修正版

7.1.1

AI Confidence: highNVDEPSS 0.4%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2025-12813 describes a critical Remote Code Execution (RCE) vulnerability discovered in the Holiday class post calendar plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 7.1, and a fix is available in version 7.2.

WordPress

このCVEがあなたのプロジェクトに影響するか確認

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン

影響と攻撃シナリオ翻訳中…

The impact of this vulnerability is severe. An attacker can leverage the lack of sanitization in the 'contents' parameter to inject and execute malicious code directly on the WordPress server. This could lead to complete server compromise, including data theft, modification, or deletion. Attackers could also use the compromised server to launch further attacks against other systems on the network, significantly expanding the blast radius. The ease of exploitation, requiring no authentication, makes this a high-priority risk.

悪用の状況翻訳中…

This vulnerability is considered highly exploitable due to its ease of access and the potential for complete system compromise. While no public exploits have been widely reported at the time of writing, the lack of authentication required significantly increases the likelihood of exploitation. The vulnerability was publicly disclosed on 2025-11-11 and added to the CISA KEV catalog, indicating a heightened risk of exploitation.

リスク対象者翻訳中…

WordPress websites utilizing the Holiday class post calendar plugin, particularly those running older, unpatched versions (0.0.0–7.1), are at significant risk. Shared hosting environments are particularly vulnerable as they often lack granular control over plugin updates and security configurations. Sites with limited security monitoring or those relying solely on automatic updates are also at increased risk.

検出手順翻訳中…

• wordpress / composer / npm:

grep -r 'contents' /var/www/html/wp-content/plugins/holiday-class-post-calendar/*

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/holiday-class-post-calendar/?contents=<script>alert('XSS')</script>

• wordpress / composer / npm:

wp plugin list | grep 'holiday-class-post-calendar'

• wordpress / composer / npm:

wp plugin update holiday-class-post-calendar

攻撃タイムライン

  1. Disclosure

    disclosure

  2. Patch

    patch

  3. CISA KEV

    kev

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.45% (63% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能yes
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントholiday-class-post-calendar
ベンダーwordfence
影響範囲修正版
0 – 7.17.1.1

パッケージ情報

アクティブインストール数
90
プラグイン評価
0.0
WordPressが必要
4.5+
動作確認済みバージョン
6.9.4
PHPが必要
7.0+
ホームページ

弱点分類 (CWE)

CWE-94

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation is to immediately upgrade the Holiday class post calendar plugin to version 7.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious input in the 'contents' parameter. Carefully review WordPress access logs for any unusual activity related to the plugin, specifically looking for attempts to inject code.

修正方法翻訳中…

Update to version 7.2, or a newer patched version

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2025-12813 — Remote Code Execution in Holiday class post calendar?

CVE-2025-12813 is a critical RCE vulnerability in the Holiday class post calendar WordPress plugin, allowing attackers to execute code via the 'contents' parameter due to insufficient sanitization.

Am I affected by CVE-2025-12813 in Holiday class post calendar?

You are affected if your WordPress site uses the Holiday class post calendar plugin in versions 0.0.0 through 7.1. Upgrade to 7.2 to resolve the issue.

How do I fix CVE-2025-12813 in Holiday class post calendar?

Upgrade the Holiday class post calendar plugin to version 7.2 or later. If immediate upgrade is not possible, disable the plugin or implement a WAF rule to block malicious input.

Is CVE-2025-12813 being actively exploited?

While no widespread exploitation has been confirmed, the vulnerability's ease of access and lack of authentication make it a high-risk target for potential exploitation.

Where can I find the official Holiday class post calendar advisory for CVE-2025-12813?

Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索