{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14845", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-17T18:50:15.211Z", "datePublished": "2026-01-07T06:36:01.098Z", "dateUpdated": "2026-04-08T16:47:22.489Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:22.489Z"}, "affected": [{"vendor": "nsthemes", "product": "NS Ie Compatibility Fixer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "title": "NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c25b462-cb9e-4250-bb17-9f2a0bd7665e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_settings_custom.php#L8"}, {"url": "https://developer.wordpress.org/plugins/security/nonces/"}, {"url": "https://developer.wordpress.org/reference/functions/wp_verify_nonce/"}, {"url": "https://developer.wordpress.org/reference/functions/check_admin_referer/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-01-06T18:32:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:52:00.903006Z", "id": "CVE-2025-14845", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:13:56.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14845", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:52:00.903006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:52:04.568Z"}}], "cna": {"title": "NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "nsthemes", "product": "NS Ie Compatibility Fixer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T18:32:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c25b462-cb9e-4250-bb17-9f2a0bd7665e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_settings_custom.php#L8"}, {"url": "https://developer.wordpress.org/plugins/security/nonces/"}, {"url": "https://developer.wordpress.org/reference/functions/wp_verify_nonce/"}, {"url": "https://developer.wordpress.org/reference/functions/check_admin_referer/"}], "descriptions": [{"lang": "en", "value": "The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:22.489Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14845", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:22.489Z", "dateReserved": "2025-12-17T18:50:15.211Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T06:36:01.098Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14845", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:57.027", "references": [{"source": "security@wordfence.com", "url": "https://developer.wordpress.org/plugins/security/nonces/"}, {"source": "security@wordfence.com", "url": "https://developer.wordpress.org/reference/functions/check_admin_referer/"}, {"source": "security@wordfence.com", "url": "https://developer.wordpress.org/reference/functions/wp_verify_nonce/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L29"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L30"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_settings_custom.php#L8"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c25b462-cb9e-4250-bb17-9f2a0bd7665e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:47:36.012480+00:00", "value": {"mitigation_remediation": ["Update NS IE Compatibility Fixer to the latest released version, which adds nonce validation to the settings update function.", "If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to remove the attack vector.", "As a short\u2011term workaround, edit the plugin\u2019s settings handling code to include nonce checks such as wp_verify_nonce or check_admin_referer before processing any updates."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated modification of plugin settings via CSRF"}, "threat_synthesis": {"affected_systems": "All WordPress installations running the NS IE Compatibility Fixer plugin version 2.1.5 or older are affected. The vulnerability originates in the plugin\u2019s admin settings files (ns_admin_option_dashboard.php and ns_settings_custom.php), and affects every installation that deploys that plugin on a WordPress site. Any server hosting a site with this plugin, regardless of the WordPress version, is at risk.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery in the NS IE Compatibility Fixer WordPress plugin that allows an unauthenticated attacker to coerce an administrator into sending a forged request that updates the plugin\u2019s settings. Because the plugin\u2019s update endpoint lacks nonce verification, the attacker can change any configurable option without being logged in. The resulting impact is an unauthorized modification of plugin configuration, which could lead to misconfiguration or potentially disable the plugin, thereby affecting site functionality.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, but the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability does not require elevated privileges or network access beyond the web interface; it relies on an attacker tricking an administrator into clicking a malicious link. The vulnerability is not listed in the CISA KEV catalog, but administrators should still adopt the official patch because the risk of CSRF to modify plugin settings can impair site administration."}}}}, "created": "2026-01-08T09:49:39.394742+00:00", "updated": "2026-04-21T17:00:12.307307+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}