CVE-2026-2410
CSRF in Disable Admin Notices Plugin Allows Redirect Manipulation
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeisle | disable_admin_notices | to 1.4.2 (inc) |
| themeisle | disable_admin_notices | 1.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the WordPress plugin "Disable Admin Notices β Hide Dashboard Notifications" in all versions up to and including 1.4.2. It is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce validation in the function `showPageContent()`. This flaw allows an unauthenticated attacker to add arbitrary URLs to the plugin's blocked redirects list by tricking a site administrator into performing an action, such as clicking a malicious link.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to manipulate the list of blocked redirects in the WordPress admin dashboard without proper authorization. By adding arbitrary URLs to the blocked redirects list, the attacker could interfere with the normal operation of the siteβs admin interface, potentially blocking legitimate redirects or causing confusion for administrators. Since the attacker must trick an admin into clicking a link, it relies on social engineering but does not require the attacker to be authenticated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Cross-Site Request Forgery (CSRF) in the Disable Admin Notices β Hide Dashboard Notifications WordPress plugin up to version 1.4.2, due to missing nonce validation in the showPageContent() function.
Detection on your system can involve checking if the plugin Disable Admin Notices is installed and running a vulnerable version (up to and including 1.4.2).
Since the vulnerability allows unauthenticated attackers to add arbitrary URLs to the blocked redirects list via forged requests, you can inspect the blocked redirects list in the plugin settings for unexpected or suspicious URLs.
Commands to detect this vulnerability specifically are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the primary step is to update the Disable Admin Notices plugin to a version later than 1.4.2 where nonce validation has been added to prevent CSRF attacks.
If an immediate update is not possible, restrict access to the WordPress admin dashboard to trusted users only, as the attack requires tricking an administrator into performing an action.
Additionally, review and clean the blocked redirects list in the plugin settings to remove any unauthorized URLs that may have been added.