CVE-2025-9627 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Run Log plugin for WordPress, specifically all versions up to and including 1.7.10. The vulnerability arises due to missing or incorrect nonce validation in the oirl_plugin_options function. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source, typically to prevent CSRF attacks. Because this validation is absent or improperly implemented, an attacker can craft a malicious request that, when executed by an authenticated site administrator (for example, by clicking a link), can modify plugin settings without the administrator’s explicit consent. The settings that can be altered include distance units, pace display preferences, style themes, and display positions. Although the attacker cannot directly execute commands or access sensitive data, they can manipulate the plugin’s configuration, potentially degrading user experience or causing confusion. The vulnerability requires no prior authentication but does require user interaction (the administrator must be tricked into performing an action). The CVSS v3.1 base score is 4.3, indicating a medium severity level, with an attack vector of network, low attack complexity, no privileges required, user interaction required, and impact limited to integrity (no confidentiality or availability impact). There are no known exploits in the wild as of the published date, and no patches have been linked yet. The vulnerability is classified under CWE-352, which covers CSRF issues.

For European organizations using WordPress sites with the Run Log plugin installed, this vulnerability could lead to unauthorized changes in plugin settings by attackers who manage to trick site administrators into clicking malicious links. While the direct impact on confidentiality and availability is minimal, the integrity of the plugin’s configuration can be compromised. This could result in altered display units or themes that confuse end users or degrade the user experience, potentially undermining trust in the affected website. In environments where accurate data presentation is critical (e.g., fitness or health-related services relying on Run Log data), such unauthorized changes could mislead users or disrupt service consistency. Additionally, if attackers combine this vulnerability with other weaknesses, they might use it as a foothold for more complex attacks. The requirement for user interaction and administrator involvement limits the scope somewhat but does not eliminate risk, especially in organizations with less security-aware staff. Given the widespread use of WordPress across Europe, and the popularity of fitness and activity tracking plugins, the threat is relevant but not critical.

European organizations should immediately audit their WordPress installations to identify if the Run Log plugin is in use and determine its version. Until an official patch is released, administrators should consider disabling or uninstalling the Run Log plugin to eliminate exposure. If disabling is not feasible, organizations should implement compensating controls such as restricting administrative access to trusted networks or VPNs, enforcing multi-factor authentication (MFA) for administrator accounts, and educating administrators about the risks of clicking unknown or suspicious links. Web Application Firewalls (WAFs) can be configured to detect and block suspicious POST requests targeting the plugin’s options endpoint. Monitoring administrative actions and plugin configuration changes can help detect exploitation attempts. Once a patch is available, prompt application of updates is essential. Additionally, developers and site owners should verify nonce implementation in custom plugins and themes to prevent similar CSRF vulnerabilities.