Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68049

CVE-2025-68049: bunny.net Auth Bypass Vulnerability

CVE-2025-68049 is an authentication bypass flaw in bunny.net versions 2.3.6 and earlier due to broken access control. Attackers can bypass authentication to gain unauthorized access. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-68049 Overview

CVE-2025-68049 is a broken access control vulnerability affecting the bunny.net WordPress plugin in versions 2.3.6 and earlier. The flaw allows authenticated users holding the low-privileged Subscriber role to access functionality that should be restricted to higher-privileged accounts. The weakness maps to [CWE-862: Missing Authorization], where the plugin fails to verify the caller's capabilities before executing sensitive operations.

Critical Impact

Authenticated subscribers can invoke plugin actions outside their authorization scope, leading to limited impact on the confidentiality, integrity, and availability of WordPress sites running the bunny.net plugin.

Affected Products

  • bunny.net WordPress plugin (bunnycdn) versions <= 2.3.6
  • WordPress installations integrating bunny.net CDN through the affected plugin
  • Sites permitting open user registration with default Subscriber role assignment

Discovery Timeline

  • 2026-06-15 - CVE-2025-68049 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-68049

Vulnerability Analysis

The bunny.net plugin exposes administrative or privileged actions through WordPress AJAX or REST endpoints without performing adequate capability checks. A user authenticated as a Subscriber, the lowest standard WordPress role, can invoke these endpoints and trigger operations intended for administrators or editors.

The vulnerability falls under [CWE-862: Missing Authorization]. The plugin relies on authentication state alone rather than verifying that the calling user holds the required capability such as manage_options. This pattern is common in WordPress plugins that protect endpoints with nonce checks or is_user_logged_in() but omit current_user_can() validation.

The EPSS data places exploitation probability at 0.242%, reflecting the limited but non-trivial accessibility of the flaw on sites that allow user registration.

Root Cause

The root cause is missing authorization logic on plugin handlers. Functions that modify plugin configuration, interact with the bunny.net CDN backend, or expose internal data do not validate the caller's role before executing. An attacker only needs valid WordPress credentials at the Subscriber tier to reach the vulnerable code paths.

Attack Vector

The attack vector is network-based and requires authentication. An attacker registers an account on a target WordPress site, authenticates, and issues crafted HTTP requests to the plugin's exposed endpoints. The request bypasses access controls because the plugin handler omits capability verification before performing privileged actions.

No public proof-of-concept code has been released. Technical details are documented in the Patchstack Vulnerability Advisory.

Detection Methods for CVE-2025-68049

Indicators of Compromise

  • Unexpected modifications to bunny.net plugin settings or CDN configuration without administrator action
  • HTTP requests to plugin AJAX or REST routes originating from accounts with the Subscriber role
  • Newly registered Subscriber accounts followed shortly by requests to /wp-admin/admin-ajax.php referencing bunny.net actions

Detection Strategies

  • Review WordPress audit logs for plugin configuration changes correlated with non-administrative session IDs
  • Inspect web server access logs for POST requests to bunny.net plugin endpoints issued by low-privileged users
  • Compare current plugin settings against known-good baselines to identify unauthorized drift

Monitoring Recommendations

  • Enable WordPress activity logging to capture role-action mismatches and AJAX endpoint usage
  • Alert on any privileged plugin action performed by users below the Editor role
  • Track creation of new Subscriber accounts in conjunction with immediate API activity

How to Mitigate CVE-2025-68049

Immediate Actions Required

  • Update the bunny.net WordPress plugin to a version newer than 2.3.6 once a patched release is available
  • Audit user accounts and remove unrecognized Subscriber-level registrations
  • Disable open user registration on sites where it is not operationally required by setting users_can_register to 0

Patch Information

Consult the Patchstack Vulnerability Advisory for the current fixed version and upgrade guidance. Apply the vendor-supplied update through the WordPress plugin dashboard or via WP-CLI.

Workarounds

  • Restrict access to /wp-admin/admin-ajax.php and REST API routes for unauthenticated and low-privileged users using a web application firewall (WAF) rule
  • Temporarily deactivate the bunny.net plugin if patching cannot be performed promptly
  • Enforce least-privilege role assignment and review the default registration role under Settings > General
bash
# Disable open registration and update plugin via WP-CLI
wp option update users_can_register 0
wp plugin update bunnycdn
wp user list --role=subscriber --fields=ID,user_login,user_registered

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.