CVE-2025-10749: 
WordPress vulnerability analysis and mitigation

The Microsoft Azure Storage for WordPress plugin is affected by an Unauthorized Arbitrary Media Deletion vulnerability (CVE-2025-10749) in versions up to and including 4.5.1. The vulnerability was discovered and disclosed on October 24, 2025. The issue affects the WordPress plugin's media handling functionality, specifically impacting installations using the Azure Storage integration (NVD CVE).

The vulnerability stems from missing capability checks on the 'azure-storage-media-replace' AJAX action. The security flaw is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (NVD CVE).

The vulnerability allows authenticated attackers with subscriber-level access or higher to delete arbitrary media files from the WordPress Media Library. This is possible through the replace_attachment parameter, provided they can access the nonce which is exposed to all authenticated users (NVD CVE).

Users should upgrade to a version newer than 4.5.1 once it becomes available. Until then, it is recommended to carefully manage user roles and access to the WordPress Media Library (NVD CVE).