CVE-2025-12813
📋 TL;DR
The Holiday Class Post Calendar WordPress plugin has a critical remote code execution vulnerability in all versions up to 7.1. Unauthenticated attackers can execute arbitrary code on the server by exploiting improper input sanitization in the 'contents' parameter when creating cache files. This affects all WordPress sites using the vulnerable plugin versions.
💻 Affected Systems
- Holiday Class Post Calendar WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to install malware, steal sensitive data, deface websites, or use the server as part of a botnet.
Likely Case
Website defacement, data theft, backdoor installation, and potential lateral movement within the hosting environment.
If Mitigated
Limited impact if proper web application firewalls, file integrity monitoring, and least privilege principles are implemented.
🎯 Exploit Status
The vulnerability is well-documented with public proof-of-concept available. Attackers can exploit this without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Holiday Class Post Calendar'. 4. Click 'Update Now' if available. 5. If update not available, deactivate and delete the plugin, then install the latest version from WordPress repository.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate holiday-class-post-calendar
Web Application Firewall Rule
allBlock requests containing malicious payloads targeting the 'contents' parameter.
🧯 If You Can't Patch
- Deactivate the Holiday Class Post Calendar plugin immediately
- Implement strict file upload restrictions and disable PHP execution in cache directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Holiday Class Post Calendar. If version is 7.1 or lower, you are vulnerable.Check Version:
wp plugin get holiday-class-post-calendar --field=versionVerify Fix Applied:
Verify plugin version is 7.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to calendar-related endpoints
- Suspicious file creation in cache directories
- PHP execution attempts in non-standard locations
Network Indicators:
- HTTP requests with encoded payloads in 'contents' parameter
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_logs" AND (uri="*holiday*" OR uri="*calendar*") AND (param="contents" AND value MATCHES "*php*" OR "*system*" OR "*exec*")