This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A Code Injection flaw in the 'Holiday class post calendar' plugin.β¦
π‘οΈ **Root Cause**: CWE-94 (Code Injection). π **Flaw**: The plugin fails to sanitize the `contents` parameter when creating cache files. π§Ή **Result**: Untrusted data is executed as code.
Q3Who is affected? (Versions/Components)
π’ **Vendor**: strix-bubol5. π¦ **Product**: Holiday class post calendar. π **Affected Versions**: Version **7.1 and earlier**. β οΈ Check your plugin version immediately!
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Full system control via RCE. π **Data**: Complete compromise of Confidentiality, Integrity, and Availability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). π΅οΈββοΈ No authentication required.
π **Public Exp?**: No specific PoC code provided in the data. π **References**: Links to WordPress Trac and Wordfence exist. β οΈ High risk of wild exploitation due to low barrier.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for 'Holiday class post calendar' plugin. π **Version**: Verify if version β€ 7.1. π οΈ **Tool**: Use WPScan or manual file inspection on `holiday_class_post_calendar.php` around line 1234.
Q8Is it fixed officially? (Patch/Mitigation)
π‘οΈ **Fix**: Update to the latest version immediately. π **Patch**: Refer to the WordPress Trac changeset for the fix. π **Link**: https://plugins.trac.wordpress.org/changeset?β¦
π§ **Workaround**: Disable the plugin if not essential. π« **Mitigation**: Remove the plugin entirely if possible. π **Block**: Restrict access to cache directories if you cannot uninstall.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: CRITICAL. π¨ **Priority**: P1. π **Action**: Patch NOW. The CVSS score is High (9.8+ implied by H/I/H), and no auth is needed. Don't wait!