Cross-Site Request Forgery in Addfreespace Plugin for WordPress
CVE-2026-6701

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Addfreespace
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-6701?

The Addfreespace plugin for WordPress is susceptible to Cross-Site Request Forgery, affecting all versions up to and including 0.1.3. This vulnerability arises from improper nonce validation in the plugin's functionalities, allowing unauthenticated attackers to exploit this flaw. By tricking an administrator into executing a crafted request, attackers could modify settings or insert harmful scripts, thereby compromising the security of the site. It is imperative for users to update to the latest version to mitigate potential risks.

Affected Version(s)

addfreespace 0 <= 0.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/addfreespace/t...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-6701 Data

JSON