Holiday Class Post Calendar Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability exists in the Holiday Class Post Calendar plugin for WordPress, affecting all versions up to and including 7.1. The vulnerability arises from inadequate sanitization of user-supplied data in the 'contents' parameter when generating cache files. This flaw allows unauthenticated attackers to execute arbitrary code on the server.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.
Reproduction
To reproduce this vulnerability, send a request to the WordPress site with the 'contents' parameter containing unsanitized data. This can be done through an AJAX request to 'wp_ajax_nopriv_hcpcldrsavecache', which is available to unauthenticated users. The plugin will then execute the injected code on the server.
Remediation
No patch is currently available. It is recommended to uninstall the affected plugin and consider a replacement.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.