CVE-2025-9629: 
WordPress vulnerability analysis and mitigation

The USS Upyun plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.5.0. The vulnerability was discovered on September 16, 2025, and is tracked as CVE-2025-9629. The issue affects the usssettingpage function when processing the uss_set form type due to missing or incorrect nonce validation (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The issue stems from improper security controls in the form processing functionality, specifically in the usssettingpage function when handling the uss_set form type. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

If exploited, this vulnerability allows unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters. The attack requires user interaction, as the attacker must trick a site administrator into performing an action such as clicking on a malicious link (NVD).

Users should upgrade to version 1.5.1 or later of the USS Upyun plugin which includes proper nonce validation. Until the update can be applied, administrators should exercise caution when clicking on links while logged into WordPress (Wordfence).