CVE-2024-12601 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) found in the Calculated Fields Form WordPress plugin developed by codepeople. This plugin, widely used for creating forms with calculated fields, includes a CAPTCHA feature to prevent automated submissions. However, the plugin fails to impose limits on the height and width parameters of CAPTCHA images. An unauthenticated attacker can exploit this by sending HTTP requests with arbitrarily large values for these parameters, causing the server to allocate excessive memory and CPU resources to generate oversized CAPTCHA images. This leads to resource exhaustion, resulting in degraded server performance or complete denial of service. The vulnerability affects all versions up to and including 5.2.63. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to availability (A:L). No known public exploits have been reported yet, but the vulnerability poses a risk to websites using this plugin without proper resource limiting or DoS protections. The lack of authentication requirement and ease of exploitation make it a notable threat for WordPress sites relying on this plugin.

The primary impact of CVE-2024-12601 is denial of service, which can disrupt website availability and degrade user experience. Organizations running WordPress sites with the vulnerable Calculated Fields Form plugin risk server slowdowns or crashes if attackers exploit this flaw by sending numerous requests with large CAPTCHA image dimensions. This can lead to downtime, loss of customer trust, and potential revenue loss, especially for e-commerce, service providers, or high-traffic websites. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely, but service disruption can have significant operational and reputational consequences. Additionally, resource exhaustion attacks can increase hosting costs due to higher CPU and memory usage. The ease of exploitation without authentication increases the attack surface, making it accessible to a wide range of attackers, including automated bots. Organizations without adequate DoS mitigation or rate limiting are particularly vulnerable.

To mitigate CVE-2024-12601, organizations should first update the Calculated Fields Form plugin to a patched version once released by codepeople. Until a patch is available, administrators can implement the following specific mitigations: 1) Configure web application firewalls (WAFs) or reverse proxies to detect and block requests with unusually large CAPTCHA image dimension parameters. 2) Apply rate limiting on requests to the CAPTCHA generation endpoint to prevent abuse by automated scripts. 3) Implement server-side input validation to restrict acceptable height and width values for CAPTCHA images, rejecting or sanitizing out-of-range inputs. 4) Employ resource usage monitoring and alerts to detect abnormal CPU or memory spikes related to CAPTCHA requests. 5) Consider disabling the CAPTCHA feature temporarily if it is not critical, reducing the attack surface. 6) Use DoS protection services or cloud-based mitigations to absorb and filter malicious traffic. These targeted steps go beyond generic advice by focusing on controlling the specific parameters exploited and monitoring resource consumption patterns.