Cross-Site Request Forgery in Disable Admin Notices – Hide Dashboard Notifications for WordPress
CVE-2026-2410

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Disable Admin Notices – Hide Dashboard Notifications
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-2410?

The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is susceptible to Cross-Site Request Forgery due to the absence of proper nonce validation in the showPageContent() function. This vulnerability allows unauthorized attackers to exploit the flaw to inject arbitrary URLs into the blocked redirects list. By tricking a site administrator into executing an action, such as clicking on a malicious link, an attacker could successfully carry out the exploit, compromising the site’s security.

Affected Version(s)

Disable Admin Notices – Hide Dashboard Notifications 0 <= 1.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/disable-admin-...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 12, 2026

Credit

Lukasz Sobanski

CVE-2026-2410 Data

JSON