{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2410", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T15:19:11.579Z", "datePublished": "2026-02-25T09:26:50.985Z", "dateUpdated": "2026-04-08T17:16:33.594Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:33.594Z"}, "affected": [{"vendor": "themeisle", "product": "Disable Admin Notices \u2013 Hide Dashboard Notifications", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Disable Admin Notices \u2013 Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Disable Admin Notices \u2013 Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3011679-51e8-4a13-8364-1d0723656d08?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/tags/1.4.2/admin/pages/class-pages-edit-redirects.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php#L103"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463239/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "timeline": [{"time": "2026-02-12T15:34:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-24T20:56:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:11:14.917207Z", "id": "CVE-2026-2410", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:11:38.154Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:11:14.917207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:11:33.380Z"}}], "cna": {"title": "Disable Admin Notices \u2013 Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themeisle", "product": "Disable Admin Notices \u2013 Hide Dashboard Notifications", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-12T15:34:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-24T20:56:18.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3011679-51e8-4a13-8364-1d0723656d08?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/tags/1.4.2/admin/pages/class-pages-edit-redirects.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php#L103"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463239/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php"}], "descriptions": [{"lang": "en", "value": "The Disable Admin Notices \u2013 Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:33.594Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2410", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:33.594Z", "dateReserved": "2026-02-12T15:19:11.579Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-25T09:26:50.985Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Disable Admin Notices \u2013 Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Disable Admin Notices \u2013 Hide Dashboard Notifications para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.4.2, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n `showPageContent()`. Esto hace posible que atacantes no autenticados a\u00f1adan URLs arbitrarias a la lista de redirecciones bloqueadas mediante una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-2410", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-25T10:16:18.697", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/tags/1.4.2/admin/pages/class-pages-edit-redirects.php#L103"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php#L103"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3463239/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3011679-51e8-4a13-8364-1d0723656d08?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Disable Admin Notices \u2013 Hide Dashboard Notifications", "source": "cna", "vendor": "themeisle"}, "product": "disable_admin_notices_\u2013_hide_dashboard_notifications", "vendor": "themeisle"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T16:54:56.811411+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update that addresses the CSRF issue.", "If an update is unavailable, restrict administrator accounts to trusted users and monitor for forged requests using a security plugin.", "Manually review the blocked redirects list and remove any unknown or suspicious entries."], "summary": {"action": "Update Plugin", "impact": "Configuration Modification via CSRF"}, "threat_synthesis": {"affected_systems": "The affected product is the themeisle Disable Admin Notices \u2013 Hide Dashboard Notifications WordPress plugin, all releases up to and including version 1.4.2. No other vendors or products are listed as affected.", "description_and_impact": "The Disable Admin Notices \u2013 Hide Dashboard Notifications plugin for WordPress contains a cross\u2011site request forgery flaw caused by missing nonce validation in the showPageContent() function. The flaw enables an unauthenticated attacker who can trick a site administrator into clicking a link to add arbitrary URLs to the blocked redirects list. The primary impact is unauthorized modification of the plugin\u2019s configuration, which can redirect visitors or alter site behavior. Although the vulnerability does not provide remote code execution, the capability to change redirect rules can facilitate phishing or other indirect attacks. The vulnerability is rated with a CVSS score of 4.3, indicating moderate severity.", "risk_and_exploitability": "The CVSS score of 4.3 and an EPSS of less than one percent suggest a moderate but not high likelihood of exploitation. The flaw requires a social\u2011engineering component: an attacker must persuade a site administrator to trigger a forged request. The absence of the vulnerability from CISA\u2019s KEV catalog further indicates that known exploits are not publicized. A compromise would allow an attacker to inject malicious redirect URLs, potentially redirecting visitors to malicious sites or intercepting traffic. The vulnerability is identified as CWE\u2011352, a cross\u2011site request forgery weakness."}}}}, "created": "2026-02-26T13:18:15.966400+00:00", "updated": "2026-04-15T17:00:07.085653+00:00", "vendors": ["themeisle", "themeisle$PRODUCT$disable_admin_notices_\u2013_hide_dashboard_notifications", "wordpress", "wordpress$PRODUCT$wordpress"]}