CVE-2025-10749 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Microsoft Azure Storage for WordPress plugin, affecting all versions up to and including 4.5.1. The root cause is the absence of proper capability checks on the 'azure-storage-media-replace' AJAX action endpoint. This endpoint is responsible for handling media replacement requests via the 'replace_attachment' parameter. The plugin exposes a nonce token to all authenticated users, including those with subscriber-level access, which should normally have limited privileges. Because of the missing authorization validation, any authenticated user at this level or above can invoke the AJAX action to delete arbitrary media files from the WordPress Media Library. This deletion can disrupt website content, cause loss of media assets, and impact site availability. The vulnerability does not require user interaction beyond authentication and does not affect confidentiality, but it compromises the integrity and availability of media files. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required at a low level, no user interaction, unchanged scope, no confidentiality impact, but integrity and availability impacts are present. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability is significant for websites using this plugin integrated with Microsoft Azure Storage, especially those that allow subscriber-level users to authenticate, such as multi-author blogs or community sites.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of media content hosted on WordPress sites using the Microsoft Azure Storage plugin. Media files such as images, videos, and documents could be arbitrarily deleted by low-privileged authenticated users, potentially disrupting website functionality, damaging brand reputation, and causing operational downtime. Organizations relying on WordPress for marketing, e-commerce, or customer engagement may experience content loss leading to negative user experience and financial impact. Since the vulnerability requires authenticated access at subscriber level, insider threats or compromised low-privilege accounts could be exploited. The absence of confidentiality impact reduces risk of data leakage, but the potential for denial of service on media assets is significant. European entities with strict content availability requirements or regulatory obligations around data integrity may face compliance challenges if media assets are lost or manipulated. The lack of known exploits in the wild currently limits immediate widespread impact, but the ease of exploitation and low privilege requirement make it a credible threat vector.

1. Monitor for and apply security patches or updates from the plugin vendor (10up) as soon as they become available to address the missing authorization checks. 2. Temporarily restrict or audit subscriber-level user permissions to limit access to media management features until a patch is applied. 3. Implement strict user role management and limit the number of users with subscriber-level or higher access, especially on sites with many contributors. 4. Use Web Application Firewalls (WAF) to detect and block suspicious AJAX requests targeting the 'azure-storage-media-replace' action. 5. Enable logging and alerting on media deletion events to quickly identify unauthorized deletions. 6. Consider disabling or replacing the Microsoft Azure Storage for WordPress plugin if immediate patching is not feasible, or isolate its usage to less critical sites. 7. Educate site administrators and users about the risk of low-privilege account compromise and enforce strong authentication mechanisms such as MFA. 8. Regularly back up media libraries to enable recovery from unauthorized deletions.