CVE-2025-7650 is a high-severity vulnerability affecting the BizCalendar Web plugin for WordPress, developed by setriosoft. This vulnerability is classified as CWE-98, which involves improper control of filenames used in include or require statements in PHP programs, leading to Remote File Inclusion (RFI) or Local File Inclusion (LFI) attacks. Specifically, all versions of BizCalendar Web up to and including 1.1.0.50 are affected. The vulnerability is triggered via the 'bizcalv' shortcode, which allows authenticated users with Contributor-level access or higher to include arbitrary files on the server. This inclusion can lead to execution of arbitrary PHP code contained within those files. The attack vector does not require user interaction beyond authentication at a contributor level, which is a relatively low privilege level in WordPress. The vulnerability allows attackers to bypass access controls, potentially access sensitive data, and execute arbitrary code, which can compromise the confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 7.5, indicating a high severity, with the vector string AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack is network exploitable, requires low privileges, no user interaction, and impacts confidentiality, integrity, and availability to a high degree. No public exploits are currently known in the wild, and no patches have been linked yet. The vulnerability arises from insufficient validation or sanitization of the filename parameter used in the include/require PHP statements within the plugin's shortcode handler, allowing attackers to specify arbitrary file paths. This can be exploited by uploading files with PHP code disguised as safe file types (e.g., images) and then including them via the vulnerable shortcode, leading to remote code execution on the server hosting the WordPress site.

For European organizations using WordPress sites with the BizCalendar Web plugin, this vulnerability poses a significant risk. An attacker with contributor-level access—which can be obtained through compromised credentials, social engineering, or exploiting other vulnerabilities—can execute arbitrary code on the web server. This can lead to full site compromise, data breaches involving sensitive customer or business data, defacement, or use of the compromised server as a pivot point for further attacks within the corporate network. Given the widespread use of WordPress in Europe across various sectors including government, education, and commerce, the impact could be broad. Organizations handling personal data under GDPR are at risk of regulatory penalties if breaches occur. Additionally, the ability to bypass access controls and execute code can disrupt business operations and damage reputation. The lack of known public exploits currently reduces immediate risk, but the high severity and ease of exploitation once credentials are obtained mean that targeted attacks or insider threats could leverage this vulnerability effectively.

Specific mitigation steps include: 1) Immediate audit of WordPress sites to identify installations of the BizCalendar Web plugin and verify the version in use. 2) Restrict contributor-level access strictly to trusted users and review user roles and permissions to minimize exposure. 3) Implement strict file upload controls and validation to prevent uploading of files containing executable PHP code disguised as images or other safe types. 4) Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode usage or attempts to include arbitrary files. 5) Monitor logs for unusual shortcode usage or file inclusion attempts. 6) Since no official patch is currently linked, consider temporarily disabling the BizCalendar Web plugin or removing the vulnerable shortcode until a patch is released. 7) Harden PHP configurations by disabling allow_url_include and restricting include paths where possible. 8) Educate site administrators about the risks of granting contributor-level access and encourage strong authentication mechanisms such as MFA. 9) Regularly update WordPress core and plugins to incorporate security fixes promptly once available.