Description
The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.
Published: 2025-10-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Media Deletion
Action: Patch Upgrade
AI Analysis

Impact

The Microsoft Azure Storage for WordPress plugin contains a missing capability check on the 'azure-storage-media-replace' AJAX action, allowing an authenticated user with a subscriber role or greater to delete arbitrary media attachments by providing a replace_attachment parameter. This weakness is a CWE-862 Missing Authorization defect, enabling unauthorized deletion. The plugin's description explicitly states that users can delete media files from the WordPress Media Library. It is inferred that this deletion could lead to loss or tampering of media assets on the site.

Affected Systems

WordPress sites running the Microsoft Azure Storage for WordPress plugin version 4.5.1 or earlier from the vendor 10up are affected. The vulnerability applies to all installations of this plugin version range and does not affect later releases. No additional version details are provided.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity, requiring an authenticated session with at least subscriber-level privileges and access to the exposed nonce. The EPSS score is less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely an authenticated user with a subscriber role or higher on the WordPress site. The risk is moderate, but unattended sites could suffer media loss or defacement.

Generated by OpenCVE AI on April 22, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Microsoft Azure Storage for WordPress to the latest stable release, which adds proper capability checks to the replace_attachment endpoint.
  • If an upgrade is not feasible, add a custom capability check in the plugin or theme functions.php to restrict the "azure-storage-media-replace" AJAX action to administrators only, for example by verifying current_user_can("manage_options").
  • After applying the fix, audit the Media Library for removed or missing files and restore any lost attachments from backup to recover deleted media.

Generated by OpenCVE AI on April 22, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared 10up
10up microsoft Azure Storage For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products 10up
10up microsoft Azure Storage For Wordpress
Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.
Title Microsoft Azure Storage for WordPress <= 4.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Media Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

10up Microsoft Azure Storage For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:00.416Z

Reserved: 2025-09-19T20:14:48.909Z

Link: CVE-2025-10749

cve-icon Vulnrichment

Updated: 2025-10-24T12:10:41.976Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T09:15:41.670

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:08Z

Weaknesses