Plateforme
wordpress
Composant
disable-admin-notices
Corrigé dans
1.4.3
CVE-2026-2410 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's blocked redirects list, potentially leading to unintended actions or redirection of administrators. The vulnerability affects versions 1.0.0 through 1.4.2, and a patch is available in version 1.4.3.
An attacker exploiting this XSRF vulnerability could trick a WordPress administrator into unknowingly adding malicious URLs to the plugin's blocked redirects list. This could be achieved through a crafted link or form submission. Once added, these URLs could redirect administrators to phishing sites, inject malicious code, or perform other unauthorized actions on the WordPress site. The potential impact extends beyond simple redirection; an attacker could leverage this to gain control over administrative functions if the redirects are used in sensitive areas of the WordPress dashboard. The blast radius is limited to the WordPress site itself and its administrators.
CVE-2026-2410 was publicly disclosed on 2026-02-25. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is rated as MEDIUM (CVSS 4.3). It has not yet been added to the CISA KEV catalog. Active exploitation is currently unknown, but the availability of a public CVE increases the risk of future attacks.
WordPress sites utilizing the Disable Admin Notices – Hide Dashboard Notifications plugin, particularly those with administrative accounts that are frequently targeted by phishing campaigns, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to attacks against others.
• wordpress / composer / npm:
grep -r 'showPageContent()' /var/www/html/wp-content/plugins/disable-admin-notices-hide-dashboard-notifications/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/disable-admin-notices-hide-dashboard-notifications/ | grep -i 'X-Frame-Options'disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 2%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-2410 is to immediately upgrade the Disable Admin Notices – Hide Dashboard Notifications plugin to version 1.4.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent further exploitation. As a short-term workaround, implement strict input validation and output encoding on all user-supplied data used in the plugin’s redirect functionality. Regularly review the plugin’s configuration for any suspicious entries in the blocked redirects list. After upgrading, confirm the fix by attempting to trigger a forged request and verifying that it is rejected.
Mettre à jour vers la version 1.4.3, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2410 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Disable Admin Notices – Hide Dashboard Notifications WordPress plugin, allowing attackers to manipulate redirects.
You are affected if you are using Disable Admin Notices – Hide Dashboard Notifications plugin versions 1.0.0 through 1.4.2.
Upgrade the Disable Admin Notices – Hide Dashboard Notifications plugin to version 1.4.3 or later. Temporarily disable the plugin if upgrading is not immediately possible.
Active exploitation is currently unknown, but the vulnerability is publicly disclosed and poses a potential risk.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.