CVE-2025-14845

Vulnerability

Analysis The NS IE Compatibility Fixer plugin for WordPress (all versions up to and including 2.1.5) is vulnerable to Cross-Site Request Forgery (CSRF) due to missing nonce validation on its settings update functionality. WordPress functions such as check_admin_referer() and wp_verify_nonce() are designed to protect admin actions against such attacks by verifying intent via a security nonce [1][2]. Without this protection, the plugin fails to confirm that a settings change request originated from an authenticated administrator's intentional action.

Exploitation

Prerequisites An unauthenticated attacker can exploit this vulnerability by crafting a malicious link that, when clicked by an authenticated administrator, triggers a settings modification. The attack requires social engineering to trick the administrator into performing the action (e.g., clicking a link while logged into their WordPress admin panel). No authentication is needed on the attacker's side, and the vulnerability can be exploited from any network position [2][3].

Impact

Successful exploitation allows the attacker to alter the plugin's configuration. Depending on the plugin's settings, this could lead to further compromise, such as disabling security features or enabling malicious behaviors. Since the plugin is intended to fix compatibility issues, changing settings could affect site functionality and user experience.

Mitigation

The vulnerability exists in all versions up to and including 2.1.5. The vendor has not released a patched version as of the publication date. Administrators should consider disabling the plugin until a fix is available, or implement additional controls such as Web Application Firewall (WAF) rules to detect CSRF attempts.