Disable Admin Notices WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress, affecting all versions through 1.4.2. The vulnerability arises from inadequate nonce validation in the 'showPageContent()' function, allowing unauthenticated attackers to manipulate the blocked redirects list by sending forged requests, provided they can deceive a site administrator into clicking a link.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can trick a user into performing actions they did not intend to, potentially leading to unauthorized changes in the WordPress admin settings.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site with the vulnerable plugin installed. This can be done by tricking an administrator into clicking a link that activates the request, such as through an email or a web page. The absence of proper nonce validation allows the request to be processed as if it were initiated by the administrator, enabling the attacker to add unwanted URLs to the blocked redirects list.

Remediation

Users are advised to update the Disable Admin Notices – Hide Dashboard Notifications plugin to version 1.4.3 or later, where this vulnerability has been patched.