CVE-2025-12813 PUBLISHED

Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'

Assigner: Wordfence
Reserved: 06.11.2025 Published: 11.11.2025 Updated: 14.11.2025

The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	strix-bubol5
Product	Holiday class post calendar
Versions	Default: unaffected affected from * to 7.1 (incl.)

CVE-2025-12813 PUBLISHED

Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'

Metrics

Product Status

Credits

References

Problem Types