WP-Safety

Simple CAPTCHA Alternative with Cloudflare Turnstile Security & Risk Analysis

wordpress.org/plugins/simple-cloudflare-turnstile

Add Cloudflare Turnstile to WordPress, WooCommerce, Contact Forms & more. The user-friendly, privacy-preserving reCAPTCHA alternative. 100% free!

100K active installs v1.38.1 PHP + WP 4.7+ Updated Apr 13, 2026
captchacloudflareprotectspamturnstile
98
A · Safe
CVEs total2
Unpatched0
Last CVEMay 8, 2026
Download
Safety Verdict

Is Simple CAPTCHA Alternative with Cloudflare Turnstile Safe to Use in 2026?

Generally Safe

Score 98/100

Simple CAPTCHA Alternative with Cloudflare Turnstile has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: May 8, 2026Updated 1mo ago
Risk Assessment

The simple-cloudflare-turnstile plugin, version 1.37.0, presents a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and has a seemingly low attack surface with no unprotected entry points. The presence of numerous nonce and capability checks further suggests an intent to secure operations. However, a significant concern arises from the output escaping, with less than half of the observed outputs being properly sanitized. This is a common vector for Cross-Site Scripting (XSS) vulnerabilities, which aligns with the plugin's past vulnerability history.

The taint analysis, while limited in scope with only three flows analyzed, did identify one flow with unsanitized paths. Although not rated as critical or high, this warrants attention as it could potentially be leveraged in an attack. The plugin's vulnerability history, despite having no currently unpatched CVEs, reveals a past medium-severity XSS vulnerability. This, coupled with the current output escaping issues, strongly indicates a recurring risk of input sanitization weaknesses.

In conclusion, while the plugin has several strong security foundations like secure SQL handling and protected entry points, the significant proportion of improperly escaped output and the identified unsanitized path flow represent notable weaknesses. The historical XSS vulnerability reinforces the need for thorough output sanitization to prevent future exploits. Users should be aware of the potential for XSS if further vulnerabilities are discovered in output handling.

Key Concerns

  • Output escaping is only 47% proper
  • Taint flow with unsanitized paths found
  • Past medium vulnerability for XSS
Vulnerabilities
2 published

Simple CAPTCHA Alternative with Cloudflare Turnstile Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-40799medium · 5.3Improper Authorization

Simple CAPTCHA Alternative with Cloudflare Turnstile <= 1.38.0 - Broken Authorization

May 8, 2026 Patched in 1.38.1 (4d)
CVE-2023-5135medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Cloudflare Turnstile <= 1.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 22, 2023 Patched in 1.23.2 (123d)
Version History

Simple CAPTCHA Alternative with Cloudflare Turnstile Release Timeline

v1.38.1Current
v1.38.01 CVE
CVE-2026-40799
v1.37.01 CVE
CVE-2026-40799
v1.36.11 CVE
CVE-2026-40799
v1.36.01 CVE
CVE-2026-40799
v1.35.01 CVE
CVE-2026-40799
v1.34.31 CVE
CVE-2026-40799
v1.34.21 CVE
CVE-2026-40799
v1.34.11 CVE
CVE-2026-40799
v1.34.01 CVE
CVE-2026-40799
v1.33.11 CVE6 files changed
CVE-2026-40799
v1.33.01 CVE
CVE-2026-40799
v1.32.31 CVE3 files changed
CVE-2026-40799
v1.32.21 CVE5 files changed
CVE-2026-40799
v1.32.11 CVE5 files changed
CVE-2026-40799
v1.32.01 CVE9 files changed
CVE-2026-40799
v1.31.01 CVE8 files changed
CVE-2026-40799
v1.30.01 CVE12 files changed
CVE-2026-40799
v1.29.01 CVE6 files changed
CVE-2026-40799
v1.28.11 CVE5 files changed
CVE-2026-40799
Code Analysis
Analyzed Mar 16, 2026

Simple CAPTCHA Alternative with Cloudflare Turnstile Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
287
252 escaped
Nonce Checks
13
Capability Checks
3
File Operations
1
External Requests
4
Bundled Libraries
0

Output Escaping

47% escaped539 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
cfturnstile_import_admin_notices (inc\admin\export-import.php:141)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Simple CAPTCHA Alternative with Cloudflare Turnstile Attack Surface

Entry Points4
Unprotected0

Shortcodes 4

[cf7-simple-turnstile] inc\integrations\forms\contact-form-7.php:7
[gravity-simple-turnstile] inc\integrations\forms\gravity-forms.php:9
[mc4wp-simple-turnstile] inc\integrations\newsletters\mc4wp.php:7
[simple-turnstile] inc\turnstile.php:326
WordPress Hooks 155
actionadmin_menuinc\admin\admin-options.php:7
actionupdate_option_cfturnstile_keyinc\admin\admin-options.php:20
actionupdate_option_cfturnstile_secretinc\admin\admin-options.php:21
actionadmin_post_cfturnstile_export_settingsinc\admin\export-import.php:55
actionadmin_post_cfturnstile_import_settingsinc\admin\export-import.php:136
actionadmin_noticesinc\admin\export-import.php:180
actionadmin_initinc\admin\register-settings.php:15
actionsanitize_option_cfturnstile_uninstall_removeinc\admin\register-settings.php:29
filteroption_cfturnstile_keyinc\config-keys.php:9
filteroption_cfturnstile_secretinc\config-keys.php:15
filterpre_option_cfturnstile_keyinc\config-keys.php:21
filterpre_option_cfturnstile_secretinc\config-keys.php:27
filterpre_update_option_cfturnstile_keyinc\config-keys.php:34
filterpre_update_option_cfturnstile_secretinc\config-keys.php:40
actionadmin_noticesinc\errors.php:9
actionbbp_theme_before_topic_form_submit_wrapperinc\integrations\community\bbpress.php:10
actionbbp_new_topic_pre_extrasinc\integrations\community\bbpress.php:21
actionbbp_theme_before_reply_form_submit_wrapperinc\integrations\community\bbpress.php:28
actionbbp_new_reply_pre_extrasinc\integrations\community\bbpress.php:39
actionbp_before_registration_submit_buttonsinc\integrations\community\buddypress.php:9
actionbp_signup_validateinc\integrations\community\buddypress.php:15
actionwpdiscuz_before_commentsinc\integrations\community\wpdiscuz.php:8
actionwpdiscuz_submit_button_beforeinc\integrations\community\wpdiscuz.php:13
actionwpdiscuz_before_comment_postinc\integrations\community\wpdiscuz.php:57
actionedd_purchase_form_before_submitinc\integrations\ecommerce\edd.php:22
actionedd_pre_process_purchaseinc\integrations\ecommerce\edd.php:23
actionedd_login_fields_afterinc\integrations\ecommerce\edd.php:52
actionauthenticateinc\integrations\ecommerce\edd.php:53
filtercfturnstile_wp_login_checksinc\integrations\ecommerce\edd.php:68
actionedd_register_form_fields_before_submitinc\integrations\ecommerce\edd.php:82
actionedd_process_register_forminc\integrations\ecommerce\edd.php:83
actionpmpro_checkout_before_submit_buttoninc\integrations\ecommerce\pmp.php:37
filterpmpro_registration_checksinc\integrations\ecommerce\pmp.php:38
filterlogin_form_middleinc\integrations\ecommerce\pmp.php:58
actioncfturnstile_wp_login_failedinc\integrations\ecommerce\pmp.php:59
actioncfw_checkout_before_payment_method_tab_navinc\integrations\ecommerce\woocommerce.php:68
actionwoocommerce_review_order_before_paymentinc\integrations\ecommerce\woocommerce.php:70
filterrender_block_woocommerce/checkout-payment-blockinc\integrations\ecommerce\woocommerce.php:71
actionwoocommerce_review_order_after_paymentinc\integrations\ecommerce\woocommerce.php:73
filterrender_block_woocommerce/checkout-payment-blockinc\integrations\ecommerce\woocommerce.php:74
actionwoocommerce_before_checkout_billing_forminc\integrations\ecommerce\woocommerce.php:76
filterrender_block_woocommerce/checkout-contact-information-blockinc\integrations\ecommerce\woocommerce.php:77
actionwoocommerce_after_checkout_billing_forminc\integrations\ecommerce\woocommerce.php:79
filterrender_block_woocommerce/checkout-shipping-methods-blockinc\integrations\ecommerce\woocommerce.php:80
actionwoocommerce_review_order_before_submitinc\integrations\ecommerce\woocommerce.php:82
filterrender_block_woocommerce/checkout-actions-blockinc\integrations\ecommerce\woocommerce.php:83
actionwoocommerce_checkout_processinc\integrations\ecommerce\woocommerce.php:87
actionwoocommerce_after_checkout_validationinc\integrations\ecommerce\woocommerce.php:88
actionwoocommerce_store_api_checkout_update_order_from_requestinc\integrations\ecommerce\woocommerce.php:133
actionwoocommerce_loadedinc\integrations\ecommerce\woocommerce.php:205
actionwoocommerce_checkout_order_processedinc\integrations\ecommerce\woocommerce.php:230
actionwoocommerce_store_api_checkout_order_processedinc\integrations\ecommerce\woocommerce.php:231
actionwoocommerce_thankyouinc\integrations\ecommerce\woocommerce.php:232
actionwp_logoutinc\integrations\ecommerce\woocommerce.php:243
actionwoocommerce_pay_order_before_submitinc\integrations\ecommerce\woocommerce.php:247
actionwoocommerce_before_pay_actioninc\integrations\ecommerce\woocommerce.php:248
actionwoocommerce_login_forminc\integrations\ecommerce\woocommerce.php:260
actionauthenticateinc\integrations\ecommerce\woocommerce.php:262
actionwp_logininc\integrations\ecommerce\woocommerce.php:294
filtercfturnstile_wp_login_checksinc\integrations\ecommerce\woocommerce.php:302
actionwoocommerce_register_forminc\integrations\ecommerce\woocommerce.php:314
actionwoocommerce_register_postinc\integrations\ecommerce\woocommerce.php:316
actionwoocommerce_lostpassword_forminc\integrations\ecommerce\woocommerce.php:333
actionlostpassword_postinc\integrations\ecommerce\woocommerce.php:334
filterwpcf7_form_elementsinc\integrations\forms\contact-form-7.php:8
actionwpcf7_form_elementsinc\integrations\forms\contact-form-7.php:27
filterwpcf7_validateinc\integrations\forms\contact-form-7.php:39
actionwpcf7_initinc\integrations\forms\contact-form-7.php:82
actionwpcf7_admin_initinc\integrations\forms\contact-form-7.php:88
actionfluentform/render_item_submit_buttoninc\integrations\forms\fluent-forms.php:10
actionfluentform_render_item_submit_buttoninc\integrations\forms\fluent-forms.php:13
actionfluentform/before_insert_submissioninc\integrations\forms\fluent-forms.php:24
actionfrm_submit_button_htmlinc\integrations\forms\formidable.php:9
actionfrm_validate_entryinc\integrations\forms\formidable.php:37
filterforminator_render_form_submit_markupinc\integrations\forms\forminator.php:9
actionforminator_custom_form_submit_errorsinc\integrations\forms\forminator.php:95
actiongform_submit_buttoninc\integrations\forms\gravity-forms.php:32
actiongform_validationinc\integrations\forms\gravity-forms.php:45
filterjetpack_contact_form_htmlinc\integrations\forms\jetpack.php:7
filterjetpack_contact_form_is_spaminc\integrations\forms\jetpack.php:44
filterjetpack_contact_form_htmlinc\integrations\forms\jetpack.php:58
filterrender_blockinc\integrations\forms\kadence.php:11
actionkadence_blocks_form_verify_nonceinc\integrations\forms\kadence.php:60
actionwpforms_display_submit_afterinc\integrations\forms\wpforms.php:10
actionwpforms_display_submit_beforeinc\integrations\forms\wpforms.php:12
actionwpforms_process_beforeinc\integrations\forms\wpforms.php:23
actionmepr-login-form-before-submitinc\integrations\membership\memberpress.php:7
actionmepr-checkout-before-submitinc\integrations\membership\memberpress.php:11
filtermepr-validate-signupinc\integrations\membership\memberpress.php:30
filtermepr-auto-logininc\integrations\membership\memberpress.php:80
actionum_after_login_fieldsinc\integrations\membership\ultimate-member.php:7
actionum_after_register_fieldsinc\integrations\membership\ultimate-member.php:8
actionum_after_password_reset_fieldsinc\integrations\membership\ultimate-member.php:9
actionum_submit_form_errors_hook_logininc\integrations\membership\ultimate-member.php:15
actionum_submit_form_errors_hook__registrationinc\integrations\membership\ultimate-member.php:16
actionum_reset_password_errors_hookinc\integrations\membership\ultimate-member.php:17
actionum_user_logininc\integrations\membership\ultimate-member.php:52
filterwpmem_pre_validate_forminc\integrations\membership\wp-members.php:8
actionwpum_before_submit_button_login_forminc\integrations\membership\wp-user-manager.php:7
actionwpum_before_submit_button_password_recovery_forminc\integrations\membership\wp-user-manager.php:12
filtersubmit_wpum_form_validate_fieldsinc\integrations\membership\wp-user-manager.php:13
actionwpum_before_submit_button_registration_forminc\integrations\membership\wp-user-manager.php:32
actionwpum_before_registration_startinc\integrations\membership\wp-user-manager.php:33
actionwpuf_login_form_bottominc\integrations\membership\wpuf.php:17
actionwpuf_reg_form_bottominc\integrations\membership\wpuf.php:24
actionwpuf_process_registration_errorsinc\integrations\membership\wpuf.php:25
actionlostpassword_postinc\integrations\membership\wpuf.php:50
actionwpuf_add_post_form_bottominc\integrations\membership\wpuf.php:69
actionwpuf_add_post_validateinc\integrations\membership\wpuf.php:70
filtermailpoet_form_widget_post_processinc\integrations\newsletters\mailpoet.php:24
actionmailpoet_subscription_before_subscribeinc\integrations\newsletters\mailpoet.php:27
actionmc4wp_form_errorsinc\integrations\newsletters\mc4wp.php:19
filtermc4wp_form_messagesinc\integrations\newsletters\mc4wp.php:51
actioncleanlogin_after_login_forminc\integrations\other\clean-login.php:6
actioncleanlogin_after_register_forminc\integrations\other\clean-login.php:7
actioncleanlogin_after_resetpassword_forminc\integrations\other\clean-login.php:8
actionwp_enqueue_scriptsinc\integrations\other\elementor.php:9
actionelementor_pro/forms/validationinc\integrations\other\elementor.php:117
filtersgo_javascript_combine_excludeinc\integrations\other\perf.php:9
filtersgo_javascript_combine_excluded_external_pathsinc\integrations\other\perf.php:10
filterlitespeed_optimize_js_excludesinc\integrations\other\perf.php:20
filterautoptimize_filter_js_excludeinc\integrations\other\perf.php:30
filterperfmatters_delay_js_exclusionsinc\integrations\other\perf.php:50
filterrocket_minify_excluded_external_jsinc\integrations\other\perf.php:62
filterrocket_minify_excluded_jsinc\integrations\other\perf.php:63
filterrocket_delay_js_exclusionsinc\integrations\other\perf.php:64
filterrocket_exclude_jsinc\integrations\other\perf.php:65
filterrocket_defer_js_exclusionsinc\integrations\other\perf.php:66
filterwp_resource_hintsinc\integrations\other\resource-hints.php:10
actionlogin_headinc\integrations\other\resource-hints.php:42
actioncfturnstile_after_fieldinc\turnstile.php:80
actioncfturnstile_after_fieldinc\turnstile.php:94
actioncfturnstile_after_fieldinc\turnstile.php:112
actioncfturnstile_after_fieldinc\turnstile.php:130
actioncfturnstile_after_fieldinc\turnstile.php:159
actioncfturnstile_after_checkinc\turnstile.php:274
actioncfturnstile_display_widgetinc\turnstile.php:327
actionlogin_forminc\wordpress.php:41
filterauthenticateinc\wordpress.php:42
actionwp_logininc\wordpress.php:92
filterlogin_form_middleinc\wordpress.php:103
actionregister_forminc\wordpress.php:110
actionregistration_errorsinc\wordpress.php:111
actionlostpassword_forminc\wordpress.php:150
actionlostpassword_postinc\wordpress.php:151
actioncomment_form_afterinc\wordpress.php:172
actioncomment_form_submit_buttoninc\wordpress.php:179
actionpre_comment_on_postinc\wordpress.php:225
actionadmin_initsimple-cloudflare-turnstile.php:28
filterplugin_action_linkssimple-cloudflare-turnstile.php:46
actionadmin_enqueue_scriptssimple-cloudflare-turnstile.php:70
actioncfturnstile_enqueue_scriptssimple-cloudflare-turnstile.php:85
actionlogin_enqueue_scriptssimple-cloudflare-turnstile.php:86
filterscript_loader_tagsimple-cloudflare-turnstile.php:117
actionbefore_woocommerce_initsimple-cloudflare-turnstile.php:268
Maintenance & Trust

Simple CAPTCHA Alternative with Cloudflare Turnstile Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 13, 2026
PHP min version
Downloads1.7M

Community Trust

Rating94/100
Number of ratings231
Active installs100K
Alternatives

Simple CAPTCHA Alternative with Cloudflare Turnstile Alternatives

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

A
99

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE
Enable Turnstile (Cloudflare) for Gravity Forms

Enable Turnstile (Cloudflare) for Gravity Forms

enable-turnstile-cloudflare-for-gravity-forms

A
100

A lightweight plugin to enable Cloudflare's Turnstile alternative CAPTCHA on your Gravity Forms.

600 No CVEs
Bot Protection with Turnstile

Bot Protection with Turnstile

bot-protection-turnstile

A
100

A lightweight plugin that protects core WordPress forms and selected third‑party plugins from spam and bot attacks using Cloudflare Turnstile CAPTCHA.

80 No CVEs
Turnstile Pro – Cloudflare CAPTCHA Protection

Turnstile Pro – Cloudflare CAPTCHA Protection

turnstile-pro

A
100

Lightweight, easy-to-configure Cloudflare Turnstile CAPTCHA protection for WordPress login, registration, comments, and password reset forms.

10 No CVEs
OhmTang CFT

OhmTang CFT

ohmtang-cft

A
100

Integrate Cloudflare Turnstile CAPTCHA for WordPress & WooCommerce forms with custom error messages, each form controlled individually

0 No CVEs
Developer Profile

Simple CAPTCHA Alternative with Cloudflare Turnstile Developer Profile

Elliot Sowersby / RelyWP

8 plugins · 146K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
206 days
View full developer profile
Detection Fingerprints

How We Detect Simple CAPTCHA Alternative with Cloudflare Turnstile

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/simple-cloudflare-turnstile/js/admin-scripts.js/wp-content/plugins/simple-cloudflare-turnstile/css/admin-style.css/wp-content/plugins/simple-cloudflare-turnstile/js/disable-submit.js/wp-content/plugins/simple-cloudflare-turnstile/js/integrations/woocommerce.js/wp-content/plugins/simple-cloudflare-turnstile/css/cfturnstile.css/wp-content/plugins/simple-cloudflare-turnstile/js/integrations/blocksy.js
Script Paths
https://challenges.cloudflare.com/turnstile/v0/api.js?render=auto
Version Parameters
simple-cloudflare-turnstile/js/admin-scripts.js?ver=simple-cloudflare-turnstile/css/admin-style.css?ver=simple-cloudflare-turnstile/js/disable-submit.js?ver=simple-cloudflare-turnstile/js/integrations/woocommerce.js?ver=simple-cloudflare-turnstile/css/cfturnstile.css?ver=simple-cloudflare-turnstile/js/integrations/blocksy.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-cfasync='false'
FAQ

Frequently Asked Questions about Simple CAPTCHA Alternative with Cloudflare Turnstile