CVE-2026-40799 MEDIUM

CVE-2026-40799: WordPress Simple Cloudflare Turnstile plugin <= 1.38.0 - Broken Authentication vulnerability

Vendor Relywp
Product Simple Cloudflare Turnstile
Weakness CWE-288
Published June 15, 2026
Last update June 15, 2026

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions.

Explanation of Vulnerability in Simple Terms

02Summary

Simple Cloudflare Turnstile versions up to 1.38.0 contain an authentication bypass vulnerability. An attacker can manipulate requests to bypass the Turnstile CAPTCHA verification without user interaction. This allows automated attacks, spam submissions, or unauthorized actions on sites using this plugin. Update to a version newer than 1.38.0 immediately.

What an attacker can do

03Attacker Capabilities

Bypass Cloudflare Turnstile CAPTCHA verification to submit forms or perform actions without solving the challenge.

Potential impact on your site

04Site Impact

Spam, automated attacks, and unauthorized form submissions bypass your CAPTCHA protection.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

08Related CVE