CVE-2025-68049 Overview
CVE-2025-68049 is a broken access control vulnerability affecting the bunny.net WordPress plugin in versions 2.3.6 and earlier. The flaw allows authenticated users holding the low-privileged Subscriber role to access functionality that should be restricted to higher-privileged accounts. The weakness maps to [CWE-862: Missing Authorization], where the plugin fails to verify the caller's capabilities before executing sensitive operations.
Critical Impact
Authenticated subscribers can invoke plugin actions outside their authorization scope, leading to limited impact on the confidentiality, integrity, and availability of WordPress sites running the bunny.net plugin.
Affected Products
- bunny.net WordPress plugin (bunnycdn) versions <= 2.3.6
- WordPress installations integrating bunny.net CDN through the affected plugin
- Sites permitting open user registration with default Subscriber role assignment
Discovery Timeline
- 2026-06-15 - CVE-2025-68049 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68049
Vulnerability Analysis
The bunny.net plugin exposes administrative or privileged actions through WordPress AJAX or REST endpoints without performing adequate capability checks. A user authenticated as a Subscriber, the lowest standard WordPress role, can invoke these endpoints and trigger operations intended for administrators or editors.
The vulnerability falls under [CWE-862: Missing Authorization]. The plugin relies on authentication state alone rather than verifying that the calling user holds the required capability such as manage_options. This pattern is common in WordPress plugins that protect endpoints with nonce checks or is_user_logged_in() but omit current_user_can() validation.
The EPSS data places exploitation probability at 0.242%, reflecting the limited but non-trivial accessibility of the flaw on sites that allow user registration.
Root Cause
The root cause is missing authorization logic on plugin handlers. Functions that modify plugin configuration, interact with the bunny.net CDN backend, or expose internal data do not validate the caller's role before executing. An attacker only needs valid WordPress credentials at the Subscriber tier to reach the vulnerable code paths.
Attack Vector
The attack vector is network-based and requires authentication. An attacker registers an account on a target WordPress site, authenticates, and issues crafted HTTP requests to the plugin's exposed endpoints. The request bypasses access controls because the plugin handler omits capability verification before performing privileged actions.
No public proof-of-concept code has been released. Technical details are documented in the Patchstack Vulnerability Advisory.
Detection Methods for CVE-2025-68049
Indicators of Compromise
- Unexpected modifications to bunny.net plugin settings or CDN configuration without administrator action
- HTTP requests to plugin AJAX or REST routes originating from accounts with the Subscriber role
- Newly registered Subscriber accounts followed shortly by requests to /wp-admin/admin-ajax.php referencing bunny.net actions
Detection Strategies
- Review WordPress audit logs for plugin configuration changes correlated with non-administrative session IDs
- Inspect web server access logs for POST requests to bunny.net plugin endpoints issued by low-privileged users
- Compare current plugin settings against known-good baselines to identify unauthorized drift
Monitoring Recommendations
- Enable WordPress activity logging to capture role-action mismatches and AJAX endpoint usage
- Alert on any privileged plugin action performed by users below the Editor role
- Track creation of new Subscriber accounts in conjunction with immediate API activity
How to Mitigate CVE-2025-68049
Immediate Actions Required
- Update the bunny.net WordPress plugin to a version newer than 2.3.6 once a patched release is available
- Audit user accounts and remove unrecognized Subscriber-level registrations
- Disable open user registration on sites where it is not operationally required by setting users_can_register to 0
Patch Information
Consult the Patchstack Vulnerability Advisory for the current fixed version and upgrade guidance. Apply the vendor-supplied update through the WordPress plugin dashboard or via WP-CLI.
Workarounds
- Restrict access to /wp-admin/admin-ajax.php and REST API routes for unauthenticated and low-privileged users using a web application firewall (WAF) rule
- Temporarily deactivate the bunny.net plugin if patching cannot be performed promptly
- Enforce least-privilege role assignment and review the default registration role under Settings > General
# Disable open registration and update plugin via WP-CLI
wp option update users_can_register 0
wp plugin update bunnycdn
wp user list --role=subscriber --fields=ID,user_login,user_registered
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

