CVE-2026-2410
Received Received - Intake
CSRF in Disable Admin Notices Plugin Allows Redirect Manipulation

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: Wordfence

Description
The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2410
EUVD
EUVD-2026-8520
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
themeisle disable_admin_notices to 1.4.2 (inc)
themeisle disable_admin_notices 1.4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the WordPress plugin "Disable Admin Notices – Hide Dashboard Notifications" in all versions up to and including 1.4.2. It is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce validation in the function `showPageContent()`. This flaw allows an unauthenticated attacker to add arbitrary URLs to the plugin's blocked redirects list by tricking a site administrator into performing an action, such as clicking a malicious link.

Impact Analysis

This vulnerability can allow an attacker to manipulate the list of blocked redirects in the WordPress admin dashboard without proper authorization. By adding arbitrary URLs to the blocked redirects list, the attacker could interfere with the normal operation of the site’s admin interface, potentially blocking legitimate redirects or causing confusion for administrators. Since the attacker must trick an admin into clicking a link, it relies on social engineering but does not require the attacker to be authenticated.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves Cross-Site Request Forgery (CSRF) in the Disable Admin Notices – Hide Dashboard Notifications WordPress plugin up to version 1.4.2, due to missing nonce validation in the showPageContent() function.

Detection on your system can involve checking if the plugin Disable Admin Notices is installed and running a vulnerable version (up to and including 1.4.2).

Since the vulnerability allows unauthenticated attackers to add arbitrary URLs to the blocked redirects list via forged requests, you can inspect the blocked redirects list in the plugin settings for unexpected or suspicious URLs.

Commands to detect this vulnerability specifically are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, the primary step is to update the Disable Admin Notices plugin to a version later than 1.4.2 where nonce validation has been added to prevent CSRF attacks.

If an immediate update is not possible, restrict access to the WordPress admin dashboard to trusted users only, as the attack requires tricking an administrator into performing an action.

Additionally, review and clean the blocked redirects list in the plugin settings to remove any unauthorized URLs that may have been added.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart