Merge pull request #271 from 10up/release/4.5.2

peterwilsoncc · web-flow · commit 846cd2f37566 · 2025-10-29T10:20:19.000+11:00
Release version 4.5.2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [4.5.2] - 2025-10-29
+### Security
+- Add capability check when replacing media to prevent privilege escalation by authenticated users (props [@peterwilsoncc](https://github.com/peterwilsoncc), [@dkotter](https://github.com/dkotter) via [GHSA-pwm5-mwxv-fjrh](https://github.com/10up/windows-azure-storage/security/advisories/GHSA-pwm5-mwxv-fjrh), [CVE-2025-10749](https://www.cve.org/CVERecord?id=CVE-2025-10749))
+- Bump `minimatch` from 4.0.7 to 4.0.8 (props [@dependabot](https://github.com/apps/dependabot) via [#253](https://github.com/10up/windows-azure-storage/pull/253)).
+
+### Changed
+- Bump WordPress "tested up to" version 6.7 (props [@mehidi258](https://github.com/mehidi258), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@hugosolar](https://github.com/hugosolar) via [#259](https://github.com/10up/windows-azure-storage/pull/259)).
+- Bump WordPress "tested up to" version 6.7 (props [@QAharshalkadu](https://github.com/QAharshalkadu), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#264](https://github.com/10up/windows-azure-storage/pull/264)).
+
+### Developer
+- Update all third-party actions our workflows rely on to use versions based on specific commit hashes (props [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#262](https://github.com/10up/windows-azure-storage/pull/262)).
+- Updated GitHub Action workflow permissions (props [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#265](https://github.com/10up/windows-azure-storage/pull/265)).
+- Clarified all license references to explicitly reference BSD-2-Clause (props [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#269](https://github.com/10up/windows-azure-storage/pull/269)).
+
 ## [4.5.1] - 2024-07-17
 ### Fixed
 - Fix path issue that duplicates the container name in URL paths (props [@hugosolar](https://github.com/hugosolar), [@cally423](https://github.com/cally423), [@Besdima](https://github.com/Besdima), [@ms2oo8](https://github.com/ms2oo8), [@BCornelissen](https://github.com/BCornelissen), [@dkotter](https://github.com/dkotter) via [#246](https://github.com/10up/windows-azure-storage/pull/246)).
@@ -289,6 +303,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - First release of Microsoft Azure Storage plugin for WordPress.
 
 [Unreleased]: https://github.com/10up/windows-azure-storage/compare/trunk...develop
+[4.5.2]: https://github.com/10up/windows-azure-storage/compare/4.5.1...4.5.2
 [4.5.1]: https://github.com/10up/windows-azure-storage/compare/4.5.0...4.5.1
 [4.5.0]: https://github.com/10up/windows-azure-storage/compare/4.4.2...4.5.0
 [4.4.2]: https://github.com/10up/windows-azure-storage/compare/4.4.1...4.4.2
diff --git a/CREDITS.md b/CREDITS.md
@@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Microsoft Open Technologies (@msopentech)](https://github.com/msopentech), [10up (@10up)](https://github.com/10up), [Morgan Estes (@morganestes)](https://github.com/morganestes), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Allan Collins (@allan23)](https://github.com/allan23), [(@jpaarhuis)](https://github.com/jpaarhuis), [Thorsten Ott (@tott)](https://github.com/tott), [Scott Lee (@scottlee)](https://github.com/scottlee), [Emmanuel Fidelino (@EmmanF)](https://github.com/EmmanF), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [(@mrgregwaugh)](https://github.com/mrgregwaugh), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks), [Brad Parbs (@bradp)](https://github.com/bradp), [Bibin Kurian (@bibinkurian)](https://github.com/bibinkurian), [Anu Thomas Chandy (@anuchandy)](https://github.com/anuchandy), [Suman Chawla (@suchawla)](https://github.com/suchawla), [(@mksunitha)](https://profiles.wordpress.org/mksunitha/), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Jay Wood (@jaywood)](https://github.com/jaywood), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Ricky Lee Whittemore (@rickalee)](https://github.com/rickalee), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Kentaro Ohkouchi (@nanasess)](https://github.com/nanasess), [David Greenwald (@davidegreenwald)](https://github.com/davidegreenwald), [Shah Qureshi (@ShahAaron)](https://github.com/ShahAaron), [(@lostfields)](https://github.com/lostfields), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Jake Edwards (@ShadowXVII)](https://github.com/ShadowXVII), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [(@cally423)](https://github.com/cally423), [(@FreuxF)](https://github.com/FreuxF), [Eric Greenfield (@saltnpixels)](https://github.com/saltnpixels), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Max Lyuchin (@cadic)](https://github.com/cadic), [Marius L. Jensen (@Clorith)](https://github.com/Clorith), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Debabrata Karfa (@debabratakarfa)](https://github.com/debabratakarfa), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Curtis Loisel (@csloisel)](https://github.com/csloisel), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Andrew Herder (@superpowered)](https://github.com/superpowered), [Giovanbattista Amato (@gioamato)](https://github.com/gioamato), [Barney Jeffries (@barneyjeffries)](https://github.com/barneyjeffries), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ben Marshall (@bmarshall511)](https://github.com/bmarshall511), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Harshal Kadu (@QAharshalkadu)](https://github.com/QAharshalkadu), [Radovan Šmitala (@radeno)](https://github.com/radeno), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Hugo Solar (@hugosolar)](https://github.com/hugosolar), [Mark Waser (@MWaser)](https://github.com/MWaser), [Oka Tai-Lee (@okadots)](https://github.com/okadots), [Sarah Nicholson (@sarahannnicholson)](https://github.com/sarahannnicholson), [Nicola Peluchetti (@nicoladj77)](https://github.com/nicoladj77), [Shakir Ali (@engrshakirali)](https://github.com/engrshakirali), [Ali Awwad (@ali-awwad)](https://github.com/ali-awwad), [(@glowmedia)](https://github.com/glowmedia), [Besdima (@Besdima)](https://github.com/Besdima), [(@ms2oo8)](https://github.com/ms2oo8), [Bob Cornelissen (@BCornelissen)](https://github.com/BCornelissen).
+[Microsoft Open Technologies (@msopentech)](https://github.com/msopentech), [10up (@10up)](https://github.com/10up), [Morgan Estes (@morganestes)](https://github.com/morganestes), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Allan Collins (@allan23)](https://github.com/allan23), [(@jpaarhuis)](https://github.com/jpaarhuis), [Thorsten Ott (@tott)](https://github.com/tott), [Scott Lee (@scottlee)](https://github.com/scottlee), [Emmanuel Fidelino (@EmmanF)](https://github.com/EmmanF), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [(@mrgregwaugh)](https://github.com/mrgregwaugh), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks), [Brad Parbs (@bradp)](https://github.com/bradp), [Bibin Kurian (@bibinkurian)](https://github.com/bibinkurian), [Anu Thomas Chandy (@anuchandy)](https://github.com/anuchandy), [Suman Chawla (@suchawla)](https://github.com/suchawla), [(@mksunitha)](https://profiles.wordpress.org/mksunitha/), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Jay Wood (@jaywood)](https://github.com/jaywood), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Ricky Lee Whittemore (@rickalee)](https://github.com/rickalee), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Kentaro Ohkouchi (@nanasess)](https://github.com/nanasess), [David Greenwald (@davidegreenwald)](https://github.com/davidegreenwald), [Shah Qureshi (@ShahAaron)](https://github.com/ShahAaron), [(@lostfields)](https://github.com/lostfields), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Jake Edwards (@ShadowXVII)](https://github.com/ShadowXVII), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [(@cally423)](https://github.com/cally423), [(@FreuxF)](https://github.com/FreuxF), [Eric Greenfield (@saltnpixels)](https://github.com/saltnpixels), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Max Lyuchin (@cadic)](https://github.com/cadic), [Marius L. Jensen (@Clorith)](https://github.com/Clorith), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Debabrata Karfa (@debabratakarfa)](https://github.com/debabratakarfa), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Curtis Loisel (@csloisel)](https://github.com/csloisel), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Andrew Herder (@superpowered)](https://github.com/superpowered), [Giovanbattista Amato (@gioamato)](https://github.com/gioamato), [Barney Jeffries (@barneyjeffries)](https://github.com/barneyjeffries), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ben Marshall (@bmarshall511)](https://github.com/bmarshall511), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Harshal Kadu (@QAharshalkadu)](https://github.com/QAharshalkadu), [Radovan Šmitala (@radeno)](https://github.com/radeno), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Hugo Solar (@hugosolar)](https://github.com/hugosolar), [Mark Waser (@MWaser)](https://github.com/MWaser), [Oka Tai-Lee (@okadots)](https://github.com/okadots), [Sarah Nicholson (@sarahannnicholson)](https://github.com/sarahannnicholson), [Nicola Peluchetti (@nicoladj77)](https://github.com/nicoladj77), [Shakir Ali (@engrshakirali)](https://github.com/engrshakirali), [Ali Awwad (@ali-awwad)](https://github.com/ali-awwad), [(@glowmedia)](https://github.com/glowmedia), [Besdima (@Besdima)](https://github.com/Besdima), [(@ms2oo8)](https://github.com/ms2oo8), [Bob Cornelissen (@BCornelissen)](https://github.com/BCornelissen), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258).
 
 ## Libraries
 
diff --git a/js/windows-azure-storage-admin.js b/js/windows-azure-storage-admin.js
@@ -1,4 +1,4 @@
-/*!  - v4.5.1
+/*!  - v4.5.2
  * https://github.com/10up/windows-azure-storage#readme
  * Copyright (c) 2025; */
 (function ( $, window, undefined ) {
diff --git a/js/windows-azure-storage-media-browser.js b/js/windows-azure-storage-media-browser.js
@@ -1,4 +1,4 @@
-/*!  - v4.5.1
+/*!  - v4.5.2
  * https://github.com/10up/windows-azure-storage#readme
  * Copyright (c) 2025; */
 window.wp = window.wp || {};
diff --git a/js/windows-azure-storage-media-replace.js b/js/windows-azure-storage-media-replace.js
@@ -1,4 +1,4 @@
-/*!  - v4.5.1
+/*!  - v4.5.2
  * https://github.com/10up/windows-azure-storage#readme
  * Copyright (c) 2025; */
 function generateCacheVar(length) {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "windows-azure-storage",
-  "version": "4.5.1",
+  "version": "4.5.2",
   "description": "Use the Microsoft Azure Storage service to host your website's media files.",
   "homepage": "https://github.com/10up/windows-azure-storage#readme",
   "bugs": {
diff --git a/readme.txt b/readme.txt
@@ -2,7 +2,7 @@
 Contributors:      msopentech, 10up, morganestes, stevegrunwell, lpawlik, ritteshpatel, johnwatkins0, rickalee, eflorea, phyrax, ravichandra, jeffpaul
 Tags:              Microsoft Azure Storage, Media Files, Upload, CDN, blob storage
 Tested up to:      6.8
-Stable tag:        4.5.1
+Stable tag:        4.5.2
 License:           BSD-2-Clause
 License URI:       https://spdx.org/licenses/BSD-2-Clause.html
 
@@ -35,6 +35,15 @@ See Settings->Microsoft Azure for more information.
 
 == Changelog ==
 
+= 4.5.2 - 2025-10-29 =
+* **Security:** Add capability check when replacing media to prevent privilege escalation by authenticated users (props [@peterwilsoncc](https://github.com/peterwilsoncc), [@dkotter](https://github.com/dkotter) via [GHSA-pwm5-mwxv-fjrh](https://github.com/10up/windows-azure-storage/security/advisories/GHSA-pwm5-mwxv-fjrh), [CVE-2025-10749](https://www.cve.org/CVERecord?id=CVE-2025-10749))
+* **Security:** Bump `minimatch` from 4.0.7 to 4.0.8 (props [@dependabot](https://github.com/apps/dependabot) via [#253](https://github.com/10up/windows-azure-storage/pull/253)).
+* **Changed:** Bump WordPress "tested up to" version 6.7 (props [@mehidi258](https://github.com/mehidi258), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@hugosolar](https://github.com/hugosolar) via [#259](https://github.com/10up/windows-azure-storage/pull/259)).
+* **Changed:** Bump WordPress "tested up to" version 6.7 (props [@QAharshalkadu](https://github.com/QAharshalkadu), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#264](https://github.com/10up/windows-azure-storage/pull/264)).
+* **Developer:** Update all third-party actions our workflows rely on to use versions based on specific commit hashes (props [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#262](https://github.com/10up/windows-azure-storage/pull/262)).
+* **Developer:** Updated GitHub Action workflow permissions (props [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#265](https://github.com/10up/windows-azure-storage/pull/265)).
+* **Developer:** Clarified all license references to explicitly reference BSD-2-Clause (props [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#269](https://github.com/10up/windows-azure-storage/pull/269)).
+
 = 4.5.1 - 2024-07-17 =
 * **Fixed:** Fix path issue that duplicates the container name in URL paths (props [@hugosolar](https://github.com/hugosolar), [@cally423](https://github.com/cally423), [@Besdima](https://github.com/Besdima), [@ms2oo8](https://github.com/ms2oo8), [@BCornelissen](https://github.com/BCornelissen), [@dkotter](https://github.com/dkotter) via [#246](https://github.com/10up/windows-azure-storage/pull/246)).
 
@@ -66,19 +75,13 @@ See Settings->Microsoft Azure for more information.
 * **Changed:** Align our PHP minimum version checks to use new helper method (props [@radeno](https://github.com/radeno), [@ravinderk](https://github.com/ravinderk) via [#202](https://github.com/10up/windows-azure-storage/pull/202)).
 * **Fixed:** Remove urlencode from srcset calculation function (props [@hugosolar](https://github.com/hugosolar), [@rickalee](https://github.com/rickalee), [@Sidsector9](https://github.com/Sidsector9) via [#211](https://github.com/10up/windows-azure-storage/pull/211)).
 
-= 4.4.0 - 2023-10-17 =
-**Note that this release bumps the minimum PHP version from 7.4 to 8.0**
-
-* **Added:** Check for minimum required PHP version before loading the plugin (props [@bmarshall511](https://github.com/bmarshall511), [@iamdharmesh](https://github.com/iamdharmesh) via [#200](https://github.com/10up/windows-azure-storage/pull/200)).
-* **Changed:** Update to the `2020-04-08` version of the Azure Blob Storage API (props [@thrijith](https://github.com/thrijith), [@colegeissinger](https://github.com/colegeissinger) via [#136](https://github.com/10up/windows-azure-storage/pull/136)).
-* **Changed:** Bump minimum PHP version from 7.4 to 8.0 (props [@thrijith](https://github.com/thrijith), [@colegeissinger](https://github.com/colegeissinger) via [#136](https://github.com/10up/windows-azure-storage/pull/136)).
-* **Changed:** Bump WordPress version "tested up to" 6.3 (props [@QAharshalkadu](https://github.com/QAharshalkadu), [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#192](https://github.com/10up/windows-azure-storage/pull/192), [#198](https://github.com/10up/windows-azure-storage/pull/198)).
-* **Changed:** Bump `cypress` from 10.11.0 to 13.1.0, `@10up/cypress-wp-utils` from 0.1.0 to 0.2.0 and `@wordpress/env` from 5.13.0 to 8.7.0, to ensure E2E tests work on the latest version of WordPress (props [@iamdharmesh](https://github.com/iamdharmesh), [@Sidsector9](https://github.com/Sidsector9) via [#199](https://github.com/10up/windows-azure-storage/pull/199)).
-
 [View historical changelog details here](https://github.com/10up/windows-azure-storage/blob/develop/CHANGELOG.md).
 
 == Upgrade Notice ==
 
+= 4.5.2 =
+This is a security release, it is recommended to upgrade immediately.
+
 = 4.4.2 =
 Note that this release bumps the minimum WordPress version from 5.7 to 6.3.
 
diff --git a/windows-azure-storage.php b/windows-azure-storage.php
@@ -3,7 +3,7 @@
  * Plugin Name:       Microsoft Azure Storage for WordPress
  * Plugin URI:        https://wordpress.org/plugins/windows-azure-storage/
  * Description:       Use the Microsoft Azure Storage service to host your website's media files.
- * Version:           4.5.1
+ * Version:           4.5.2
  * Requires at least: 6.6
  * Requires PHP:      8.0
  * Author:            10up, Microsoft Open Technologies
@@ -62,7 +62,7 @@
 define( 'MSFT_AZURE_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
 define( 'MSFT_AZURE_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'MSFT_AZURE_PLUGIN_LEGACY_MEDIA_URL', get_admin_url( get_current_blog_id(), 'media-upload.php' ) );
-define( 'MSFT_AZURE_PLUGIN_VERSION', '4.5.1' );
+define( 'MSFT_AZURE_PLUGIN_VERSION', '4.5.2' );
 
 /**
  * Get the minimum version of PHP required by this plugin.

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/*! - v4.5.1`
	`1`	`+/*! - v4.5.2`
`2`	`2`	`* https://github.com/10up/windows-azure-storage#readme`
`3`	`3`	`* Copyright (c) 2025; */`
`4`	`4`	`(function ( $, window, undefined ) {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "windows-azure-storage",`
`3`		`- "version": "4.5.1",`
	`3`	`+ "version": "4.5.2",`
`4`	`4`	`"description": "Use the Microsoft Azure Storage service to host your website's media files.",`
`5`	`5`	`"homepage": "https://github.com/10up/windows-azure-storage#readme",`
`6`	`6`	`"bugs": {`