Description
The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.
Published: 2025-11-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Holiday class post calendar plugin for WordPress is vulnerable to remote code execution in all versions up to 7.1. An unauthenticated attacker can supply malicious code through the 'contents' parameter when a cache file is created, because the plugin does not sanitize user input. This is a classic code injection flaw (CWE-94) that gives the attacker full control over the server.

Affected Systems

Affected systems include any WordPress site running the Holiday class post calendar plugin version 7.1 or earlier. The plugin is distributed by Strix-Bubol5. Sites that have not upgraded beyond version 7.1 are at risk. The vulnerability is independent of user authentication and can be triggered from any public endpoint that accepts the 'contents' parameter.

Risk and Exploitability

The CVSS score of 9.8 marks it as critical, but the EPSS score is under 1%, indicating that widespread exploitation has not been observed. The attack can be performed without prior access, simply by sending a crafted request to the plugin’s cache creation endpoint, making the risk high for exposed sites. The vulnerability is not listed in CISA KEV, but the high severity warrants immediate attention.

Generated by OpenCVE AI on April 21, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Holiday class post calendar plugin update (v7.2 or newer) as soon as it becomes available.
  • If an update is not possible, disable or remove the plugin from the WordPress installation to eliminate the attack surface.
  • As a temporary workaround, restrict access to the 'contents' parameter by using a web application firewall rule, or manually sanitize the data before it is written to the cache file.

Generated by OpenCVE AI on April 21, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Strix-bubol5
Strix-bubol5 holiday Class Post Calendar
Wordpress
Wordpress wordpress
Vendors & Products Strix-bubol5
Strix-bubol5 holiday Class Post Calendar
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.
Title Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Strix-bubol5 Holiday Class Post Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:22.550Z

Reserved: 2025-11-06T16:32:17.929Z

Link: CVE-2025-12813

cve-icon Vulnrichment

Updated: 2025-11-14T15:25:23.270Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:50.413

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses