CVE-2025-10749 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Microsoft Azure Storage for WordPress plugin, versions up to and including 4.5.1. The root cause is the absence of proper capability checks on the 'azure-storage-media-replace' AJAX action endpoint. This flaw allows any authenticated user with subscriber-level privileges or higher to delete arbitrary media files from the WordPress Media Library by exploiting the 'replace_attachment' parameter. The nonce required for this action is exposed to all authenticated users, effectively bypassing intended authorization controls. This vulnerability impacts the integrity and availability of media assets stored in Azure via the plugin, potentially leading to content loss or website disruption. The attack vector is network-based, requiring no user interaction beyond authentication, and the vulnerability scope is limited to the affected plugin installations. Although no exploits have been reported in the wild, the vulnerability poses a tangible risk to websites relying on this plugin for media storage. The CVSS v3.1 score of 5.4 reflects a medium severity rating due to the ease of exploitation by low-privilege authenticated users and the potential impact on media integrity and availability.

The primary impact of CVE-2025-10749 is unauthorized deletion of media files stored in the WordPress Media Library via the Azure Storage plugin. This can lead to loss of critical website content such as images, videos, and documents, potentially disrupting website functionality and user experience. For organizations, this could result in reputational damage, operational downtime, and increased recovery costs. Since the vulnerability requires only subscriber-level access, it lowers the barrier for exploitation by malicious insiders or compromised low-privilege accounts. The deletion of media assets could also affect marketing, e-commerce, and content delivery operations dependent on these files. Although the vulnerability does not directly expose confidential data, the loss of media integrity and availability can have significant business impact, especially for high-traffic or content-heavy websites. The lack of known exploits in the wild suggests limited current active exploitation, but the risk remains significant given the widespread use of WordPress and Azure Storage integration.

1. Immediately update the Microsoft Azure Storage for WordPress plugin to a patched version once available from the vendor. 2. If a patch is not yet available, restrict subscriber-level user capabilities to prevent access to the 'azure-storage-media-replace' AJAX action by implementing custom capability checks or disabling the AJAX action via plugin hooks or web application firewall (WAF) rules. 3. Monitor WordPress user roles and audit subscriber-level accounts to detect any suspicious activity or unauthorized access. 4. Implement strict access controls and multi-factor authentication (MFA) for all authenticated users to reduce the risk of account compromise. 5. Regularly back up media files stored in Azure to enable rapid restoration in case of deletion. 6. Employ logging and alerting on media deletion events to detect potential exploitation attempts promptly. 7. Review nonce exposure and consider custom nonce validation or obfuscation techniques to limit unauthorized use. 8. Engage with the plugin vendor and community for updates and security advisories related to this vulnerability.