Plattform
wordpress
Komponente
ns-ie-compatibility-fixer
Behoben in
2.1.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the NS IE Compatibility Fixer plugin for WordPress, affecting versions from 0.0.0 up to and including 2.1.5. This flaw allows unauthenticated attackers to modify the plugin's settings if they can trick an administrator into performing a specific action. The vulnerability stems from a lack of nonce validation during settings updates, making it susceptible to forged requests.
Successful exploitation of this CSRF vulnerability could allow an attacker to maliciously alter the NS IE Compatibility Fixer plugin's configuration. This could lead to unexpected behavior within the WordPress site, potentially impacting its functionality or security posture. An attacker could, for example, change compatibility settings to introduce vulnerabilities or redirect users to malicious sites. The blast radius is limited to the WordPress site using the vulnerable plugin and the administrative access required to trigger the forged request.
This vulnerability was publicly disclosed on 2026-01-07. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium due to the relatively straightforward nature of CSRF attacks and the plugin's popularity.
WordPress websites utilizing the NS IE Compatibility Fixer plugin, particularly those with shared hosting environments or where administrative privileges are not strictly controlled, are at increased risk. Sites with legacy WordPress configurations or those lacking robust security practices are also more vulnerable.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/ns-ie-compatibility-fixer/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'ns-ie-compatibility-fixer'• generic web: Check for unusual plugin settings modifications in the WordPress admin panel. • generic web: Monitor WordPress access logs for suspicious requests targeting plugin settings endpoints.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the NS IE Compatibility Fixer plugin to a version that addresses this vulnerability. The vendor has not yet released a fixed version, so immediate action is required. As a temporary workaround, implement strict input validation and output encoding on all settings update endpoints. Consider using a WordPress security plugin that provides CSRF protection for all plugin settings pages. Carefully review any suspicious links or actions requested by users, particularly those with administrative privileges. After upgrade, confirm the fix by attempting to modify plugin settings via a crafted CSRF request and verifying that the action is blocked.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14845 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the NS IE Compatibility Fixer WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if your WordPress site uses the NS IE Compatibility Fixer plugin in versions 0.0.0 through 2.1.5. Upgrade immediately.
Upgrade to a patched version of the plugin. Until a patch is available, implement input validation and consider a WordPress security plugin for CSRF protection.
There are no confirmed reports of active exploitation at this time, but the vulnerability is publicly known and could be targeted.
Check the plugin author's website or WordPress plugin repository for updates and advisories related to CVE-2025-14845.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.