PT-2025-46297 · WordPress · Holiday Class Post Calendar Plugin
Kenneth Dunn
·
Published
2025-11-11
·
Updated
2025-11-16
·
CVE-2025-12813
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WordPress Holiday Class Post Calendar plugin versions up to and including 7.1
Description
The Holiday Class Post Calendar plugin for WordPress is susceptible to Remote Code Execution via the
contents parameter. This occurs because the plugin does not properly sanitize user-provided data when creating cache files. This allows unauthenticated attackers to execute code on the server. The issue enables code injection due to improper control of code generation.Recommendations
Update the plugin to a patched version if available.
If no patch is available, disable and uninstall the vulnerable plugin instances.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Holiday Class Post Calendar Plugin