Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible unauthenticated form bypass with no user interaction; integrity-only impact since bypass enables unauthorized form submissions but confers no data read or availability disruption.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions.
AnalysisAI
Broken authentication in the Simple Cloudflare Turnstile WordPress plugin (versions ≤ 1.38.0) allows unauthenticated remote attackers to bypass Cloudflare Turnstile CAPTCHA verification on any protected form without completing the bot-detection challenge. Classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and reported by Patchstack, the flaw enables automated or scripted form submissions that the plugin was designed to block - including login, registration, contact, and WooCommerce checkout forms. No public exploit code has been identified at time of analysis, though the network-accessible, zero-complexity nature of the bypass makes it trivially replicable by any attacker familiar with WordPress form mechanics.
Technical ContextAI
The Simple Cloudflare Turnstile plugin by RelyWP (CPE: cpe:2.3:a:relywp:simple_cloudflare_turnstile) integrates Cloudflare's Turnstile CAPTCHA service into WordPress form workflows, replacing or supplementing reCAPTCHA with a privacy-preserving bot-detection challenge. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates the server-side verification of the Turnstile challenge response token is flawed - the plugin either fails to call the Cloudflare Siteverify API endpoint under certain conditions, accepts an absent or malformed token, or exposes an alternate submission path that skips the validation routine entirely. This is a server-side logic defect, not a cryptographic weakness: Cloudflare's own Turnstile service is not compromised; rather, the plugin's integration layer fails to enforce successful challenge completion before accepting form input.
RemediationAI
Update the Simple Cloudflare Turnstile plugin to a version above 1.38.0 as soon as a patched release is published by RelyWP - the Patchstack advisory page should be monitored for the confirmed fix version, as no patched version number is independently confirmed from the available data. In the interim, administrators who cannot immediately update should consider temporarily disabling Turnstile protection on the most abuse-sensitive forms and replacing it with an alternative CAPTCHA or anti-spam mechanism; note that disabling forms will impact legitimate user flows and should be weighed against abuse risk. As a more targeted compensating control, a custom server-side middleware or mu-plugin can independently call the Cloudflare Turnstile Siteverify API (https://challenges.cloudflare.com/turnstile/v0/siteverify) on every form submission, bypassing the vulnerable plugin validation logic entirely - this mitigates the bypass without disabling forms but requires development effort. WAF rate-limiting rules (e.g., via Cloudflare WAF or a WordPress security plugin) on form submission endpoints can reduce automated abuse volume but do not remediate the underlying authentication bypass.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36808
GHSA-x75m-vg6j-vq53