{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12813", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T16:32:17.929Z", "datePublished": "2025-11-11T03:30:43.449Z", "dateUpdated": "2026-04-08T17:03:22.550Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:22.550Z"}, "affected": [{"vendor": "strix-bubol5", "product": "Holiday class post calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server."}], "title": "Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php#L1234"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414925%40holiday-class-post-calendar&new=3414925%40holiday-class-post-calendar&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-11-10T14:59:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T15:25:22.423538Z", "id": "CVE-2025-12813", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:31:22.875Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-14T15:25:22.423538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:25:23.270Z"}}], "cna": {"title": "Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "strix-bubol5", "product": "Holiday class post calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T14:59:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php#L1234"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414925%40holiday-class-post-calendar&new=3414925%40holiday-class-post-calendar&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:22.550Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12813", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:22.550Z", "dateReserved": "2025-11-06T16:32:17.929Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:43.449Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server."}], "id": "CVE-2025-12813", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:50.413", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php#L1234"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414925%40holiday-class-post-calendar&new=3414925%40holiday-class-post-calendar&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:28:53.342263+00:00", "value": {"mitigation_remediation": ["Apply the latest Holiday class post calendar plugin update (v7.2 or newer) as soon as it becomes available.", "If an update is not possible, disable or remove the plugin from the WordPress installation to eliminate the attack surface.", "As a temporary workaround, restrict access to the 'contents' parameter by using a web application firewall rule, or manually sanitize the data before it is written to the cache file."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems include any WordPress site running the Holiday class post calendar plugin version 7.1 or earlier. The plugin is distributed by Strix-Bubol5. Sites that have not upgraded beyond version 7.1 are at risk. The vulnerability is independent of user authentication and can be triggered from any public endpoint that accepts the 'contents' parameter.", "description_and_impact": "The Holiday class post calendar plugin for WordPress is vulnerable to remote code execution in all versions up to 7.1. An unauthenticated attacker can supply malicious code through the 'contents' parameter when a cache file is created, because the plugin does not sanitize user input. This is a classic code injection flaw (CWE-94) that gives the attacker full control over the server.", "risk_and_exploitability": "The CVSS score of 9.8 marks it as critical, but the EPSS score is under 1%, indicating that widespread exploitation has not been observed. The attack can be performed without prior access, simply by sending a crafted request to the plugin\u2019s cache creation endpoint, making the risk high for exposed sites. The vulnerability is not listed in CISA KEV, but the high severity warrants immediate attention."}}}}, "created": "2025-11-12T12:47:43.058796+00:00", "updated": "2026-04-21T18:30:27.589347+00:00", "vendors": ["strix-bubol5", "strix-bubol5$PRODUCT$holiday_class_post_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}