Skip to main content

Simple Cloudflare Turnstile CVE-2026-40799

| EUVDEUVD-2026-36808 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-x75m-vg6j-vq53
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible unauthenticated form bypass with no user interaction; integrity-only impact since bypass enables unauthorized form submissions but confers no data read or availability disruption.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 23:05 vuln.today
CVSS changed
Jun 15, 2026 - 21:22 NVD
5.8 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions.

AnalysisAI

Broken authentication in the Simple Cloudflare Turnstile WordPress plugin (versions ≤ 1.38.0) allows unauthenticated remote attackers to bypass Cloudflare Turnstile CAPTCHA verification on any protected form without completing the bot-detection challenge. Classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and reported by Patchstack, the flaw enables automated or scripted form submissions that the plugin was designed to block - including login, registration, contact, and WooCommerce checkout forms. No public exploit code has been identified at time of analysis, though the network-accessible, zero-complexity nature of the bypass makes it trivially replicable by any attacker familiar with WordPress form mechanics.

Technical ContextAI

The Simple Cloudflare Turnstile plugin by RelyWP (CPE: cpe:2.3:a:relywp:simple_cloudflare_turnstile) integrates Cloudflare's Turnstile CAPTCHA service into WordPress form workflows, replacing or supplementing reCAPTCHA with a privacy-preserving bot-detection challenge. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates the server-side verification of the Turnstile challenge response token is flawed - the plugin either fails to call the Cloudflare Siteverify API endpoint under certain conditions, accepts an absent or malformed token, or exposes an alternate submission path that skips the validation routine entirely. This is a server-side logic defect, not a cryptographic weakness: Cloudflare's own Turnstile service is not compromised; rather, the plugin's integration layer fails to enforce successful challenge completion before accepting form input.

RemediationAI

Update the Simple Cloudflare Turnstile plugin to a version above 1.38.0 as soon as a patched release is published by RelyWP - the Patchstack advisory page should be monitored for the confirmed fix version, as no patched version number is independently confirmed from the available data. In the interim, administrators who cannot immediately update should consider temporarily disabling Turnstile protection on the most abuse-sensitive forms and replacing it with an alternative CAPTCHA or anti-spam mechanism; note that disabling forms will impact legitimate user flows and should be weighed against abuse risk. As a more targeted compensating control, a custom server-side middleware or mu-plugin can independently call the Cloudflare Turnstile Siteverify API (https://challenges.cloudflare.com/turnstile/v0/siteverify) on every form submission, bypassing the vulnerable plugin validation logic entirely - this mitigates the bypass without disabling forms but requires development effort. WAF rate-limiting rules (e.g., via Cloudflare WAF or a WordPress security plugin) on form submission endpoints can reduce automated abuse volume but do not remediate the underlying authentication bypass.

Share

CVE-2026-40799 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy