Description
The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2026-01-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated modification of plugin settings via CSRF
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery in the NS IE Compatibility Fixer WordPress plugin that allows an unauthenticated attacker to coerce an administrator into sending a forged request that updates the plugin’s settings. Because the plugin’s update endpoint lacks nonce verification, the attacker can change any configurable option without being logged in. The resulting impact is an unauthorized modification of plugin configuration, which could lead to misconfiguration or potentially disable the plugin, thereby affecting site functionality.

Affected Systems

All WordPress installations running the NS IE Compatibility Fixer plugin version 2.1.5 or older are affected. The vulnerability originates in the plugin’s admin settings files (ns_admin_option_dashboard.php and ns_settings_custom.php), and affects every installation that deploys that plugin on a WordPress site. Any server hosting a site with this plugin, regardless of the WordPress version, is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, but the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability does not require elevated privileges or network access beyond the web interface; it relies on an attacker tricking an administrator into clicking a malicious link. The vulnerability is not listed in the CISA KEV catalog, but administrators should still adopt the official patch because the risk of CSRF to modify plugin settings can impair site administration.

Generated by OpenCVE AI on April 21, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NS IE Compatibility Fixer to the latest released version, which adds nonce validation to the settings update function.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to remove the attack vector.
  • As a short‑term workaround, edit the plugin’s settings handling code to include nonce checks such as wp_verify_nonce or check_admin_referer before processing any updates.

Generated by OpenCVE AI on April 21, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:22.489Z

Reserved: 2025-12-17T18:50:15.211Z

Link: CVE-2025-14845

cve-icon Vulnrichment

Updated: 2026-01-07T14:52:04.568Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:57.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses