Description
The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via CSRF
Action: Immediate Patch
AI Analysis

Impact

The USS Upyun plugin for WordPress allows attackers to perform Cross‑Site Request Forgery because the uss_setting_page function does not correctly validate a nonce when processing the uss_set form type. An unauthenticated attacker can craft a forged request that causes an administrator, lured by a malicious link, to submit a form that changes critical Upyun cloud storage settings—bucket names, operator credentials, upload paths, and image‑processing parameters—without needing to be logged in yourself. This flaw enables an attacker to modify the cloud storage configuration of the site.

Affected Systems

WordPress installations that use USS Upyun plugin version 1.5.0 or earlier are affected. The vulnerability exists in all releases up to and including 1.5.0, regardless of other plugin or theme configurations, and specifically targets the settings page handling Upyun integration.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, while the EPSS score of less than 1% shows a very low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, suggesting it is not known to be actively exploited in the wild. Likely attack vectors involve a CSRF request presented to an authenticated administrator; the attacker must convince a site admin to click a crafted link or otherwise submit the forged form. Successful exploitation allows the attacker to alter critical cloud storage settings.

Generated by OpenCVE AI on April 21, 2026 at 02:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the USS Upyun plugin to version 1.5.1 or later where the nonce validation has been restored.
  • Restrict access to the plugin’s settings page by limiting administrative privileges to a minimal set of trusted users or applying role‑based access control.
  • Ensure all WordPress administrator accounts use strong, unique passwords and enable two‑factor authentication to reduce the risk of an admin being tricked into clicking malicious links.

Generated by OpenCVE AI on April 21, 2026 at 02:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29673 The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title USS Upyun <= 1.5.0 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:24.791Z

Reserved: 2025-08-28T19:34:06.478Z

Link: CVE-2025-9629

cve-icon Vulnrichment

Updated: 2025-09-17T13:09:53.081Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T02:15:33.650

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses