CVE-2026-6701
Cross-Site Request Forgery in WordPress AddFreespace Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| addfreespace | addfreespace_plugin | to 0.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The addfreespace plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 0.1.3. This vulnerability exists because the plugin lacks proper nonce validation on a specific function. As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to update plugin settings and inject malicious web scripts.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to modify the settings of the addfreespace plugin without authorization by tricking an administrator into performing an action. This can lead to the injection of malicious web scripts on the affected WordPress site, potentially compromising the site's integrity and security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the addfreespace plugin to a version later than 0.1.3 where the nonce validation issue is fixed.
Additionally, ensure that site administrators are cautious about clicking on untrusted links to avoid being tricked into performing malicious actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks that can update settings and inject malicious scripts if a site administrator is tricked into clicking a link.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, such unauthorized changes and potential script injections could lead to data integrity and security issues, which may impact compliance with regulations requiring protection of data and secure system configurations.