The Minify HTML plugin for WordPress, developed by teckel, suffers from a Regular Expression Denial of Service (ReDoS) vulnerability identified as CVE-2024-12579. This vulnerability is classified under CWE-400, which pertains to uncontrolled resource consumption. The root cause is the plugin's handling of user-supplied input as a regular expression without proper safeguards. Specifically, when an attacker submits crafted comments containing malicious patterns, the regular expression engine can enter catastrophic backtracking, consuming excessive CPU resources and causing the affected web pages to become unresponsive or fail to load. The vulnerability affects all versions up to and including 2.1.10 of the plugin. Exploitation requires no authentication or user interaction, making it accessible to any unauthenticated attacker capable of submitting comments. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to integrity (I:L) without affecting confidentiality or availability. Although no known exploits have been reported in the wild and no official patches have been released, the vulnerability poses a risk of denial of service through resource exhaustion on affected WordPress sites.

The primary impact of CVE-2024-12579 is the potential for denial of service on WordPress websites using the vulnerable Minify HTML plugin. Attackers can exploit this vulnerability to cause excessive CPU consumption via crafted comments, leading to slowdowns, unresponsive pages, or complete service disruption. This can degrade user experience, reduce site availability, and potentially affect business operations relying on the affected websites. Since the vulnerability does not compromise confidentiality or availability directly but impacts integrity through service disruption, the risk is mainly operational. Organizations with high-traffic WordPress sites or those relying on the Minify HTML plugin for performance optimization are at greater risk. Additionally, the lack of authentication requirement broadens the attack surface, allowing any internet user to attempt exploitation. While no widespread exploitation is currently known, the vulnerability could be leveraged in targeted denial-of-service campaigns or combined with other attacks to amplify impact.

To mitigate CVE-2024-12579, organizations should first monitor for updates or patches from the plugin vendor and apply them promptly once available. In the absence of official patches, administrators can implement web application firewall (WAF) rules to detect and block malicious comment payloads that contain suspicious regular expression patterns or unusually long repetitive sequences known to trigger catastrophic backtracking. Rate limiting comment submissions and employing CAPTCHA challenges can reduce the risk of automated exploitation. Disabling or restricting the Minify HTML plugin temporarily may be necessary if exploitation attempts are detected. Additionally, reviewing and sanitizing user inputs before processing them as regular expressions can prevent such vulnerabilities; developers should refactor the plugin code to avoid unsafe regex usage or implement timeout limits on regex operations. Regular monitoring of server resource usage and logs can help detect early signs of exploitation attempts. Finally, educating site administrators about the risks of untrusted input in regex processing is essential for long-term security.