The Run Log plugin for WordPress allows an attacker to issue forged HTTP requests that modify configuration options such as distance units, pace display, theme style, and display positions. The vulnerability arises because the oirl_plugin_options function either omits or incorrectly verifies the required nonce. Unlike a true remote code execution flaw, this weakness does not directly expose code execution but enables an unauthenticated user to modify a site’s presentation and behavior by tricking an administrator into approving a malicious link or form submission.

The affected product is the "Run Log" plugin developed by izem for WordPress. All versions up to and including 1.7.10 contain the flaw; later releases contain a fix that implements proper nonce validation for the settings update endpoint.

The CVSS score of 4.3 places this issue at a moderate severity level. An EPSS score of less than 1% reflects a very low estimated exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by inducing an administrator to access a crafted link or button that submits a state‑changing request without a valid nonce, thereby changing the plugin’s options. Based on the description, it is inferred that the attacker does not need to be authenticated; the exploit depends on a legitimate administrator’s session and cannot be triggered by an arbitrary visitor. While the impact is limited to configuration data, it can degrade user experience or create a vector for suspicious thematic changes, so timely remediation is recommended.