Skip to main content
CVE Vulnerability Database

CVE-2025-9627: WordPress Run Log Plugin CSRF Vulnerability

CVE-2025-9627 is a cross-site request forgery flaw in the WordPress Run Log plugin that lets attackers modify settings via forged requests. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-9627 Overview

CVE-2025-9627 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Run Log plugin for WordPress in all versions up to and including 1.7.10. The flaw resides in the oirl_plugin_options function, which lacks proper nonce validation. Unauthenticated attackers can craft malicious requests that, when triggered by an authenticated site administrator, modify plugin settings. Affected settings include distance units, pace display preferences, style themes, and display positions. Exploitation requires user interaction, typically tricking an administrator into clicking a crafted link. The issue is tracked as CWE-352: Cross-Site Request Forgery.

Critical Impact

An attacker can silently alter Run Log plugin configuration on any WordPress site running version 1.7.10 or earlier by luring an administrator to a malicious page.

Affected Products

  • Run Log plugin for WordPress, versions up to and including 1.7.10
  • WordPress sites with the Run Log plugin installed and active
  • Administrator accounts with permission to modify plugin settings

Discovery Timeline

  • 2025-09-11 - CVE-2025-9627 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9627

Vulnerability Analysis

The Run Log plugin exposes a settings handler through the oirl_plugin_options function. This function processes administrative configuration changes but does not verify a valid WordPress nonce or equivalent anti-CSRF token before executing state-changing operations. Because the plugin trusts the origin of the request based solely on the administrator's authenticated session, any request that carries the administrator's session cookies is accepted. An attacker leverages this trust boundary by hosting a page that submits a forged POST request to the settings endpoint. When the administrator visits the attacker-controlled page, the browser automatically attaches session cookies and the plugin persists the attacker-supplied configuration. The impact is limited to integrity of plugin settings such as distance units, pace display, style themes, and display positions. See the Wordfence Vulnerability Report for additional context.

Root Cause

The root cause is missing or incorrect nonce validation in the oirl_plugin_options function. WordPress provides wp_verify_nonce and check_admin_referer helpers for this exact scenario, but the vulnerable handler does not call them before applying settings updates. See the WordPress Plugin Source Code for the affected code location.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker crafts an HTML page containing a hidden form or JavaScript that submits a POST request to the target site's admin endpoint responsible for Run Log settings. The attacker then delivers the link through phishing, forum posts, or malicious advertisements. When a logged-in administrator loads the page, the browser submits the request with valid session credentials, and the plugin writes the attacker-chosen options. The corresponding vendor fix is available in the WordPress Changeset Update.

Detection Methods for CVE-2025-9627

Indicators of Compromise

  • Unexpected changes to Run Log plugin options such as distance units, pace display, style themes, or display positions without a corresponding administrator action in the audit trail.
  • HTTP POST requests to WordPress admin endpoints for Run Log settings originating with a Referer header pointing to an external, untrusted domain.
  • Administrator browser history entries showing visits to unfamiliar sites immediately preceding configuration changes.

Detection Strategies

  • Monitor web server access logs for POST requests targeting the Run Log options handler that lack a same-origin Referer or Origin header.
  • Compare plugin settings against a known-good baseline on a scheduled basis and alert on drift.
  • Inspect the WordPress options table for changes to keys owned by the Run Log plugin and correlate with authenticated admin sessions.

Monitoring Recommendations

  • Enable WordPress audit logging plugins to record every settings change with actor, timestamp, and source IP.
  • Forward web server and WordPress audit logs to a centralized SIEM for correlation with phishing and web proxy telemetry.
  • Alert on administrator accounts visiting low-reputation external domains during active admin sessions.

How to Mitigate CVE-2025-9627

Immediate Actions Required

  • Update the Run Log plugin to a version later than 1.7.10 that includes the fix from changeset 3361381.
  • Audit current Run Log plugin settings and restore any values altered without authorization.
  • Instruct administrators to log out of WordPress sessions before browsing untrusted content.

Patch Information

The vendor addressed the missing nonce validation in the Run Log plugin repository. Site owners should upgrade to the fixed release published after the WordPress Changeset Update. Verify the installed version through the WordPress admin Plugins screen after applying the update.

Workarounds

  • Deactivate the Run Log plugin until the patched version can be installed if updating is not immediately possible.
  • Restrict administrative access to trusted networks using IP allowlists at the web server or WAF layer to reduce CSRF exposure.
  • Deploy a web application firewall rule that requires a valid same-origin Referer or Origin header on POST requests to /wp-admin/ endpoints associated with plugin options.
bash
# Example: quickly disable the vulnerable plugin via WP-CLI
wp plugin deactivate run-log
wp plugin update run-log

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.