CVE-2025-7650: 
WordPress vulnerability analysis and mitigation

The BizCalendar Web plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-7650) affecting all versions up to and including 1.1.0.50. The vulnerability was discovered and disclosed on August 15, 2025. The affected software is the BizCalendar Web WordPress plugin (NVD, WordPress Plugin).

The vulnerability exists in the 'bizcalv' shortcode implementation which allows authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server. This enables the execution of any PHP code contained within those files. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (NVD).

The vulnerability allows authenticated attackers to bypass access controls, obtain sensitive data, and potentially achieve code execution when images and other "safe" file types can be uploaded and included. This creates a significant security risk for affected WordPress installations (NVD).

The plugin has been temporarily closed as of August 14, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version is released (WordPress Plugin).