The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress contains a cross‑site request forgery flaw caused by missing nonce validation in the showPageContent() function. The flaw enables an unauthenticated attacker who can trick a site administrator into clicking a link to add arbitrary URLs to the blocked redirects list. The primary impact is unauthorized modification of the plugin’s configuration, which can redirect visitors or alter site behavior. Although the vulnerability does not provide remote code execution, the capability to change redirect rules can facilitate phishing or other indirect attacks. The vulnerability is rated with a CVSS score of 4.3, indicating moderate severity.

The affected product is the themeisle Disable Admin Notices – Hide Dashboard Notifications WordPress plugin, all releases up to and including version 1.4.2. No other vendors or products are listed as affected.

The CVSS score of 4.3 and an EPSS of less than one percent suggest a moderate but not high likelihood of exploitation. The flaw requires a social‑engineering component: an attacker must persuade a site administrator to trigger a forged request. The absence of the vulnerability from CISA’s KEV catalog further indicates that known exploits are not publicized. A compromise would allow an attacker to inject malicious redirect URLs, potentially redirecting visitors to malicious sites or intercepting traffic. The vulnerability is identified as CWE‑352, a cross‑site request forgery weakness.