CVE-2025-9627: 
WordPress vulnerability analysis and mitigation

The Run Log plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-9627, affecting all versions up to and including 1.7.10. The vulnerability was discovered and reported on September 11, 2025, by Wordfence security researchers (NVD Database).

The vulnerability stems from missing or incorrect nonce validation in the oirl_plugin_options function. The CVSS v3.1 base score is 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires network access and user interaction but no privileges, resulting in low impact to integrity (NVD Database).

When successfully exploited, this vulnerability allows unauthenticated attackers to modify plugin settings, including distance units, pace display preferences, style themes, and display positions. The modification of these settings occurs through a forged request when a site administrator is tricked into performing specific actions (NVD Database).

Website administrators running the Run Log plugin should update to a version newer than 1.7.10 if available. Until an update is available, administrators should be particularly cautious when clicking links while logged into their WordPress dashboard (NVD Database).