Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'
traduzindo…Plataforma
wordpress
Componente
holiday-class-post-calendar
Corrigido em
7.1.1
CVE-2025-12813 describes a critical Remote Code Execution (RCE) vulnerability discovered in the Holiday class post calendar plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 7.1, and a fix is available in version 7.2.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The impact of this vulnerability is severe. An attacker can leverage the lack of sanitization in the 'contents' parameter to inject and execute malicious code directly on the WordPress server. This could lead to complete server compromise, including data theft, modification, or deletion. Attackers could also use the compromised server to launch further attacks against other systems on the network, significantly expanding the blast radius. The ease of exploitation, requiring no authentication, makes this a high-priority risk.
Contexto de Exploraçãotraduzindo…
This vulnerability is considered highly exploitable due to its ease of access and the potential for complete system compromise. While no public exploits have been widely reported at the time of writing, the lack of authentication required significantly increases the likelihood of exploitation. The vulnerability was publicly disclosed on 2025-11-11 and added to the CISA KEV catalog, indicating a heightened risk of exploitation.
Quem Está em Riscotraduzindo…
WordPress websites utilizing the Holiday class post calendar plugin, particularly those running older, unpatched versions (0.0.0–7.1), are at significant risk. Shared hosting environments are particularly vulnerable as they often lack granular control over plugin updates and security configurations. Sites with limited security monitoring or those relying solely on automatic updates are also at increased risk.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
grep -r 'contents' /var/www/html/wp-content/plugins/holiday-class-post-calendar/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/holiday-class-post-calendar/?contents=<script>alert('XSS')</script>• wordpress / composer / npm:
wp plugin list | grep 'holiday-class-post-calendar'• wordpress / composer / npm:
wp plugin update holiday-class-post-calendarLinha do Tempo do Ataque
- Disclosure
disclosure
- Patch
patch
- CISA KEV
kev
Inteligência de Ameaças
Status do Exploit
EPSS
0.45% (percentil 63%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Alto — falha completa ou esgotamento de recursos. Negação de serviço total.
Software Afetado
Informações do pacote
- Instalações ativas
- 90
- Avaliação do plugin
- 0.0
- Requer WordPress
- 4.5+
- Compatível até
- 6.9.4
- Requer PHP
- 7.0+
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation is to immediately upgrade the Holiday class post calendar plugin to version 7.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious input in the 'contents' parameter. Carefully review WordPress access logs for any unusual activity related to the plugin, specifically looking for attempts to inject code.
Como corrigirtraduzindo…
Update to version 7.2, or a newer patched version
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2025-12813 — Remote Code Execution in Holiday class post calendar?
CVE-2025-12813 is a critical RCE vulnerability in the Holiday class post calendar WordPress plugin, allowing attackers to execute code via the 'contents' parameter due to insufficient sanitization.
Am I affected by CVE-2025-12813 in Holiday class post calendar?
You are affected if your WordPress site uses the Holiday class post calendar plugin in versions 0.0.0 through 7.1. Upgrade to 7.2 to resolve the issue.
How do I fix CVE-2025-12813 in Holiday class post calendar?
Upgrade the Holiday class post calendar plugin to version 7.2 or later. If immediate upgrade is not possible, disable the plugin or implement a WAF rule to block malicious input.
Is CVE-2025-12813 being actively exploited?
While no widespread exploitation has been confirmed, the vulnerability's ease of access and lack of authentication make it a high-risk target for potential exploitation.
Where can I find the official Holiday class post calendar advisory for CVE-2025-12813?
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.