CVE-2024-12601

Published: Dec 17, 2024Modified: Jun 5, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

The Calculated Fields Form plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 5.2.63. This is due to unlimited height and width parameters for CAPTCHA images. This makes it possible for unauthenticated attackers to send multiple requests with large values, resulting in slowing server resources if the server does not mitigate Denial of Service attacks.

Affected (1)

Products: Codepeople: Calculated Fields Form

1 product

Calculated Fields Form

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Codepeople Calculated Fields Form	Before 5.2.64

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (4)

https://plugins.trac.wordpress.org/browser/calculated-fields-form/trunk/captcha/captcha.php#L74

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/browser/calculated-fields-form/trunk/captcha/captcha.php#L75

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/changeset/3207826/

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/1eade2ed-9a75-4857-a2c5-a21e016e7029?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.