CVE-2023-5135 in Simple Cloudflare Turnstile Plugininfo

Summary

by MITRE • 09/27/2023

The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The Simple Cloudflare Turnstile plugin for WordPress presents a critical security vulnerability classified as CVE-2023-5135, affecting versions up to and including 1.23.1. This vulnerability manifests as a stored cross-site scripting flaw within the plugin's gravity-simple-turnstile shortcode implementation, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of affected websites. The vulnerability specifically targets the plugin's handling of user-supplied attributes, where insufficient input sanitization and output escaping mechanisms fail to properly validate or encode potentially malicious content submitted by authenticated users.

The technical flaw stems from the plugin's failure to adequately sanitize user input parameters passed through the gravity-simple-turnstile shortcode, allowing attackers to inject malicious scripts that persist in the plugin's storage mechanisms. This stored XSS vulnerability operates through the manipulation of shortcode attributes that are then rendered in web pages without proper HTML escaping or content validation. The vulnerability requires only contributor-level permissions or higher, making it particularly dangerous as it can be exploited by users with relatively low privilege levels within WordPress installations. Attackers can leverage this weakness to inject JavaScript code that executes whenever legitimate users access pages containing the malicious shortcode, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of victims.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable sophisticated attacks such as session hijacking, credential theft, and privilege escalation within the compromised WordPress environment. When authenticated users access pages containing the malicious shortcode, their browsers execute the injected scripts, potentially allowing attackers to establish persistent backdoors or exfiltrate sensitive data from the target website. The vulnerability affects the broader WordPress ecosystem by potentially compromising multiple sites that rely on the plugin for security verification, creating cascading security risks for organizations that depend on Cloudflare Turnstile for form validation and bot protection. The stored nature of the vulnerability means that once injected, malicious code remains active until manually removed, providing attackers with extended persistence windows and increasing the difficulty of detection and remediation.

Mitigation strategies for CVE-2023-5135 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement strict role-based access controls to limit contributor-level permissions and monitor user activity for suspicious shortcode modifications. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and maps to ATT&CK techniques such as T1566.001 for credential access through phishing and T1071.001 for application layer protocol usage. Security teams should conduct comprehensive audits of all installed plugins to identify similar sanitization gaps and implement web application firewalls to detect and block malicious shortcode injection attempts. Additionally, regular security scanning and monitoring of user-generated content should be implemented to identify potential exploitation attempts before they can cause significant damage to the WordPress installation or compromise user data.

Responsible

Wordfence

Reservation

09/22/2023

Disclosure

09/27/2023

Moderation

accepted

CPE

ready

EPSS

0.00636

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!