Skip to main content

Simple Cloudflare Turnstile

1 CVEs product

Monthly

CVE-2026-40799 MEDIUM This Month

Broken authentication in the Simple Cloudflare Turnstile WordPress plugin (versions ≤ 1.38.0) allows unauthenticated remote attackers to bypass Cloudflare Turnstile CAPTCHA verification on any protected form without completing the bot-detection challenge. Classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and reported by Patchstack, the flaw enables automated or scripted form submissions that the plugin was designed to block - including login, registration, contact, and WooCommerce checkout forms. No public exploit code has been identified at time of analysis, though the network-accessible, zero-complexity nature of the bypass makes it trivially replicable by any attacker familiar with WordPress form mechanics.

Information Disclosure Simple Cloudflare Turnstile Cloudflare
NVD
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken authentication in the Simple Cloudflare Turnstile WordPress plugin (versions ≤ 1.38.0) allows unauthenticated remote attackers to bypass Cloudflare Turnstile CAPTCHA verification on any protected form without completing the bot-detection challenge. Classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and reported by Patchstack, the flaw enables automated or scripted form submissions that the plugin was designed to block - including login, registration, contact, and WooCommerce checkout forms. No public exploit code has been identified at time of analysis, though the network-accessible, zero-complexity nature of the bypass makes it trivially replicable by any attacker familiar with WordPress form mechanics.

Information Disclosure Simple Cloudflare Turnstile Cloudflare
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy