CVE-2025-10649: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2024-10649) was discovered in wandb/openui's latest commit c945bb859979659add5f490a874140ad17c56a5d, affecting unauthenticated endpoints that allow file uploads and downloads from an AWS S3 bucket. The vulnerability was disclosed on February 10, 2025, and impacts the endpoints '/v1/share/{id:str}' for both uploading and downloading JSON files (NVD).

The vulnerability stems from missing authentication controls on critical file operation endpoints. The affected endpoints '/v1/share/{id:str}' allow both upload and download operations without proper authentication verification. The vulnerability has been assigned a CVSS v3.0 base score of 6.1 (Medium) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

The vulnerability can lead to multiple security issues including denial of service (by filling up the S3 bucket space), stored Cross-Site Scripting (XSS) through malicious file uploads, and information disclosure through unauthorized access to stored files (NVD).

No official patches or mitigations have been publicly disclosed at the time of this report. Organizations using the affected software should monitor for updates and implement proper authentication controls on file operation endpoints (NVD).