{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7650", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-14T17:33:11.276Z", "datePublished": "2025-08-15T08:25:37.747Z", "dateUpdated": "2026-04-08T16:33:41.124Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:41.124Z"}, "affected": [{"vendor": "setriosoft", "product": "BizCalendar Web", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0.53", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.53 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."}], "title": "BizCalendar Web <= 1.1.0.53 - Authenticated (Contributor+) Local File Inclusion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0640538c-b076-453c-a32e-f33b4e1c77ae?source=cve"}, {"url": "https://wordpress.org/plugins/bizcalendar-web/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377221%40bizcalendar-web&new=3377221%40bizcalendar-web&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "cweId": "CWE-98", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-08-14T20:14:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T16:31:03.173423Z", "id": "CVE-2025-7650", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T16:31:16.146Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7650", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-15T16:31:03.173423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T16:31:12.418Z"}}], "cna": {"title": "BizCalendar Web <= 1.1.0.53 - Authenticated (Contributor+) Local File Inclusion", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "setriosoft", "product": "BizCalendar Web", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.0.53"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-14T20:14:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0640538c-b076-453c-a32e-f33b4e1c77ae?source=cve"}, {"url": "https://wordpress.org/plugins/bizcalendar-web/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377221%40bizcalendar-web&new=3377221%40bizcalendar-web&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.53 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:41.124Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7650", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:41.124Z", "dateReserved": "2025-07-14T17:33:11.276Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-15T08:25:37.747Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.53 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."}, {"lang": "es", "value": "El complemento BizCalendar Web para WordPress es vulnerable a la inclusi\u00f3n de archivos locales en todas las versiones hasta la 1.1.0.50 incluida, mediante el shortcode 'bizcalv'. Esto permite a atacantes autenticados, con acceso de colaborador o superior, incluir y ejecutar archivos arbitrarios en el servidor, permitiendo la ejecuci\u00f3n de cualquier c\u00f3digo PHP en dichos archivos. Esto puede utilizarse para eludir los controles de acceso, obtener datos confidenciales o ejecutar c\u00f3digo cuando se pueden subir e incluir im\u00e1genes y otros tipos de archivos \"seguros\"."}], "id": "CVE-2025-7650", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-15T09:15:29.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377221%40bizcalendar-web&new=3377221%40bizcalendar-web&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/bizcalendar-web/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0640538c-b076-453c-a32e-f33b4e1c77ae?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:29:26.659484+00:00", "value": {"mitigation_remediation": ["Upgrade the BizCalendar Web plugin to a version newer than 1.1.0.53 where the LFI issue has been fixed.", "Restrict the bizcalv shortcode to administrators only or disable it for users with Contributor or lower roles.", "If an immediate upgrade is not possible, remove the bizcalv shortcode from the site or replace the plugin altogether to prevent the inclusion of arbitrary files."], "summary": {"action": "Apply patch", "impact": "Arbitrary code execution via LFI on contributor level"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Setriosoft BizCalendar Web WordPress plugin, all releases version 1.1.0.53 and earlier. Users running any of these versions are susceptible, regardless of the WordPress installation or theme.", "description_and_impact": "The BizCalendar Web plugin for WordPress is vulnerable to a local file inclusion flaw triggered through the 'bizcalv' shortcode. Authenticated attackers holding a Contributor role or higher can specify any file path to be included, which allows them to execute PHP code stored on the server. This capability can lead to full code execution, bypass access controls, and theft of sensitive data.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests exploitation is unlikely at present. The issue is not listed in the CISA KEV catalog. An attacker would need to be authenticated as a Contributor or higher to launch the attack, typically by submitting a request to the bizcalv shortcode and supplying a crafted file path. Once in place, the attacker can execute arbitrary PHP code on the target server."}}}}, "created": "2025-08-16T21:40:49.739306+00:00", "updated": "2026-04-22T14:30:18.963988+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}