WordPress Plugin Vulnerabilities

Simple Cloudflare Turnstile < 1.23.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
simple-cloudflare-turnstile
Fixed in 1.23.2

References

CVE
CVE-2023-5135
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/91f6c9d3-641d-42f7-bf11-e3c3a44eeb76

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
e3d7c9de-4116-4ec8-aa6f-f7dc5fa21d21

Timeline

Publicly Published
2023-09-22 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-21 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Custom iFrame for Elementor < 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-04-21
Title
GiveWP – Donation Plugin and Fundraising Platform < 4.14.3 - Reflected Cross-Site Scripting
Published
2026-02-24
Title
Rise Blocks – A Complete Gutenberg Page Builder <= 3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Identity Block Attributes
Published
2025-02-03
Title
All push notification for WP <= 1.5.3 - Unauthenticated Stored Cross-Site Scripting
Published
2025-07-28
Title
Magical Addons For Elementor < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes