CVE-2025-9895: 
WordPress vulnerability analysis and mitigation

The Notification Bar plugin for WordPress has been identified with a Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2025-9895. The vulnerability affects all versions up to and including version 2.2. This security issue was discovered and reported by researcher Nabil Irawan, with the initial disclosure occurring on October 3, 2025 (NVD CVE, Wordfence Intel).

The vulnerability stems from missing or incorrect nonce validation in the 'subscriber-list-empty.php' file. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 4.3 (MEDIUM), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires network access and user interaction, with low complexity for exploitation and no authentication requirements (NVD CVE).

The exploitation of this vulnerability could allow unauthenticated attackers to empty the subscriber list of affected WordPress installations. This occurs when an attacker successfully tricks a site administrator into performing specific actions, such as clicking on a malicious link (NVD CVE).

Website administrators running the Notification Bar plugin should upgrade to a version newer than 2.2 once available. In the meantime, administrators should be cautious when clicking on links, especially those from untrusted sources (NVD CVE).