Vulnerabilities and security researches forcloudflare cloudflare

Jun 07, 2024

CVE, Research URL: f08cd4b8d2fd9232b03273f997f5656375cae41d
Home page URL: Security reports for Cloudflare
Application: Cloudflare
Date: Mar 28, 2016
Research Description: Cloudflare [cloudflare] < 1.3.21 WordPress CloudFlare Plugin <= 1.3.20 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions: max 1.3.21.
Status: vulnerable

CVE, Research URL: CVE-2017-9841
Home page URL: Security reports for Cloudflare
Application: Cloudflare
Date: Jun 27, 2017
Research Description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Affected versions: max 1.1.12.
Status: vulnerable

CVE, Research URL: CVE-2024-0212
Home page URL: Security reports for Cloudflare
Application: Cloudflare
Date: Jan 29, 2024
Research Description: The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API.
Affected versions: max 4.12.3.
Status: vulnerable

Mar 27, 2026

PSC, Research URL: PSC-2026-64631
Home page URL: Security reports for Cloudflare
Application: Cloudflare
Date: Mar 27, 2026
Research Description: CDN and caching integrations are security-relevant because they introduce privileged configuration flows inside wp-admin, handle API tokens, and can directly affect availability and security posture at the edge. If access control, request integrity, or output handling is weak, attackers may force cache purges or mode changes via CSRF, expose sensitive integration metadata, or manipulate settings that impact how the site is protected and cached. Cloudflare version 4.14.2 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64631, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for CDN, caching, and edge-security integration plugins.
Affected versions: Min 4.14.3, max 4.14.3.
Status: SAFE & CERTIFIED

Jun 16, 2026

CVE, Research URL: f80f3d55a529f665edfbad2a5f56160499fe067f
Home page URL: Security reports for Cloudflare
Application: Cloudflare
Date: Jan 04, 2024
Research Description: Cloudflare [cloudflare] < 4.12.3 Cloudflare <= 4.12.2 - Missing Authorization via initProxy The Cloudflare plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'initProxy' function in versions up to and including 4.12.2. This makes it possible for authenticated attackers, with subscriber access and above, to send requests proxied through Cloudflare to arbitrary URLs.
Affected versions: max 4.12.3.
Status: vulnerable

CVE, Research URL: 1e03fb0d-23a1-4451-bf8a-9b5dc9790b50
Home page URL: Security reports for Cloudflare
Application: Cloudflare
Date: -
Research Description: Cloudflare [cloudflare] < 1.3.21 CloudFlare <= 1.3.20 - Authenticated Cross-Site Scripting (XSS) The Cloudflare WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 1.3.21.
Status: vulnerable

CVE, Research URL: 1674fd5d30f242cd9c1196dcd4154e705baacb9c
Home page URL: Security reports for Cloudflare
Application: Cloudflare
Date: Mar 28, 2016
Research Description: Cloudflare [cloudflare] < 1.3.21 Cloudflare < 1.3.21 - Cross-Site Scripting The Cloudflare plugin for WordPress is vulnerable to Cross-Site Scripting via several parameters in versions before 1.3.21 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser.
Affected versions: max 1.3.21.
Status: vulnerable