CVE-2025-12813 is a critical remote code execution (RCE) vulnerability identified in the Holiday class post calendar plugin for WordPress, developed by strix-bubol5. This vulnerability affects all versions up to and including 7.1. The root cause is improper control over code generation (CWE-94), specifically due to a lack of sanitization of user-supplied input in the 'contents' parameter when the plugin creates a cache file. An attacker can exploit this flaw by sending crafted requests containing malicious code in the 'contents' parameter, which the plugin then writes unsanitized into a cache file. This leads to arbitrary code execution on the server hosting the WordPress site. The vulnerability is exploitable remotely without any authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score is 9.8, reflecting the critical nature of this vulnerability with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact includes full compromise of the affected server, allowing attackers to execute arbitrary commands, steal sensitive data, modify or delete content, and disrupt service availability. Although no public exploits are currently known, the vulnerability's characteristics suggest that exploitation could be straightforward once a proof-of-concept is developed or leaked. The plugin is widely used in WordPress environments for managing post calendars, making the attack surface significant. The lack of a patch or mitigation at the time of disclosure increases the urgency for affected users to take protective measures.

For European organizations, the impact of CVE-2025-12813 is substantial. Many businesses, government agencies, and media outlets in Europe utilize WordPress as their content management system, often relying on plugins like the Holiday class post calendar for editorial scheduling and content management. Successful exploitation could lead to full server compromise, resulting in data breaches involving personal data protected under GDPR, intellectual property theft, defacement of websites, and disruption of online services. This could damage organizational reputation, incur regulatory fines, and cause operational downtime. The ability for unauthenticated remote attackers to execute code increases the risk of automated mass exploitation campaigns targeting vulnerable WordPress sites across Europe. Additionally, compromised servers could be leveraged as part of botnets or for launching further attacks, amplifying the threat landscape. The critical severity and ease of exploitation make this vulnerability a high priority for European cybersecurity teams to address promptly.

1. Immediately disable or uninstall the Holiday class post calendar plugin until a vendor patch is released. 2. If removal is not feasible, restrict access to the vulnerable functionality by implementing web application firewall (WAF) rules that block requests containing suspicious payloads in the 'contents' parameter. 3. Employ strict input validation and sanitization on all user-supplied data, particularly parameters that influence file creation or code execution. 4. Monitor web server and application logs for unusual requests or error messages related to the plugin. 5. Maintain regular backups of website data and server configurations to enable rapid recovery in case of compromise. 6. Keep WordPress core and all plugins updated to the latest versions once patches addressing this vulnerability become available. 7. Conduct security audits and vulnerability scans focusing on WordPress environments to identify and remediate similar issues proactively. 8. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates.