The USS Upyun plugin for WordPress, widely used for integrating Upyun cloud storage services, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-9629. This vulnerability exists in all versions up to and including 1.5.0 due to missing or incorrect nonce validation in the uss_setting_page function when handling the uss_set form type. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. The absence or improper implementation of nonce validation allows attackers to craft malicious requests that, when executed by an authenticated administrator (via clicking a specially crafted link), can alter critical cloud storage settings. These settings include the bucket name, operator credentials, upload paths, and image processing parameters, which are essential for the correct operation and security of the cloud storage integration. The vulnerability does not require the attacker to be authenticated but does require user interaction from an administrator, making social engineering a key component of exploitation. The CVSS v3.1 base score is 4.3, reflecting a medium severity level primarily due to the need for user interaction and the limited impact on confidentiality and availability. No public exploits have been reported yet, but the potential for unauthorized configuration changes could lead to service disruption or further compromise if attackers manipulate storage credentials or paths. The vulnerability was reserved on August 28, 2025, and published on September 17, 2025, with no patches currently linked, indicating that users should monitor for updates or apply workarounds promptly.

The primary impact of this vulnerability is the unauthorized modification of critical Upyun cloud storage settings within WordPress sites using the USS Upyun plugin. Such unauthorized changes can disrupt the normal operation of cloud storage services, potentially causing data upload failures, misdirected data storage, or exposure of sensitive credentials. This could lead to data integrity issues, loss of data availability, or enable attackers to redirect or intercept data flows. Additionally, altered image processing parameters might affect content delivery or introduce further security risks. Although the vulnerability does not directly compromise confidentiality, the manipulation of operator credentials could indirectly expose sensitive information or enable further attacks. Organizations relying on Upyun cloud storage for critical operations may experience service interruptions or reputational damage. The requirement for administrator interaction limits the scope but does not eliminate risk, especially in environments with less security awareness or where phishing attacks are common. Overall, the vulnerability poses a moderate risk to organizations, particularly those with high reliance on Upyun cloud services integrated via this plugin.

To mitigate this vulnerability, organizations should immediately update the USS Upyun plugin to a patched version once available. In the absence of an official patch, administrators should implement the following specific measures: 1) Disable or restrict access to the USS Upyun settings page to trusted administrators only and limit exposure to potential phishing attempts. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the uss_setting_page endpoint or containing parameters related to uss_set form submissions. 3) Educate administrators about the risks of clicking unsolicited links and implement strict email filtering to reduce phishing risks. 4) Manually verify and harden nonce validation in the plugin code if feasible, adding proper nonce checks to the uss_setting_page function to ensure requests are legitimate. 5) Monitor logs for unusual changes to Upyun configuration settings and implement alerting for configuration modifications. 6) Consider temporarily disabling the plugin if it is not critical to operations until a secure version is released. These targeted actions go beyond generic advice by focusing on access control, request validation, and administrator awareness specific to this vulnerability.