Platform
wordpress
Component
ns-ie-compatibility-fixer
Fixed in
2.1.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the NS IE Compatibility Fixer plugin for WordPress, affecting versions from 0.0.0 up to and including 2.1.5. This flaw allows unauthenticated attackers to modify the plugin's settings if they can trick an administrator into performing a specific action. The vulnerability stems from a lack of nonce validation during settings updates, making it susceptible to forged requests.
Successful exploitation of this CSRF vulnerability could allow an attacker to maliciously alter the NS IE Compatibility Fixer plugin's configuration. This could lead to unexpected behavior within the WordPress site, potentially impacting its functionality or security posture. An attacker could, for example, change compatibility settings to introduce vulnerabilities or redirect users to malicious sites. The blast radius is limited to the WordPress site using the vulnerable plugin and the administrative access required to trigger the forged request.
This vulnerability was publicly disclosed on 2026-01-07. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium due to the relatively straightforward nature of CSRF attacks and the plugin's popularity.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the NS IE Compatibility Fixer plugin to a version that addresses this vulnerability. The vendor has not yet released a fixed version, so immediate action is required. As a temporary workaround, implement strict input validation and output encoding on all settings update endpoints. Consider using a WordPress security plugin that provides CSRF protection for all plugin settings pages. Carefully review any suspicious links or actions requested by users, particularly those with administrative privileges. After upgrade, confirm the fix by attempting to modify plugin settings via a crafted CSRF request and verifying that the action is blocked.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14845 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the NS IE Compatibility Fixer WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if your WordPress site uses the NS IE Compatibility Fixer plugin in versions 0.0.0 through 2.1.5. Upgrade immediately.
Upgrade to a patched version of the plugin. Until a patch is available, implement input validation and consider a WordPress security plugin for CSRF protection.
There are no confirmed reports of active exploitation at this time, but the vulnerability is publicly known and could be targeted.
Check the plugin author's website or WordPress plugin repository for updates and advisories related to CVE-2025-14845.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.