Holiday class post calendar

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.

AI Analysis

Unauthenticated Remote Code Execution via 'contents' parameter due to lack of sanitization of user-supplied data

Basic Information

ID CVE-2025-12813

Source Wordfence

Published Nov 11, 2025 at 03:30

Affected Product

Vendor strix-bubol5

Product Holiday class post calendar

Version *

Affected Versions strix-bubol5 Holiday class post calendar *

CWE Classification

CWE-94

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor strix-bubol5

Product Holiday class post calendar

Version 7.1

References

{
    "lastseen": "",
    "description": "The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.",
    "published": "2025-11-11T03:30:43.449Z",
    "modified": "2025-11-11T03:30:43.449Z",
    "type": "cve",
    "title": "Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve\nhttps://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php#L1234",
    "id": "CVE-2025-12813",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "strix-bubol5 Holiday class post calendar *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Holiday class post calendar",
    "version": "*",
    "vendor": "strix-bubol5",
    "ai_description": "Unauthenticated Remote Code Execution via 'contents' parameter due to lack of sanitization of user-supplied data",
    "ai_severity": "Critical",
    "ai_vendor": "strix-bubol5",
    "ai_product": "Holiday class post calendar",
    "ai_version": "7.1",
    "ai_score": 9.8
}

Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'_CVE-2025-12813