CVE-2025-68049 MEDIUM

CVE-2025-68049: WordPress bunny.net plugin <= 2.3.6 - Broken Access Control vulnerability

Vendor Bunny.net
Product bunny.net
Weakness CWE-862 · Missing authorization
Published June 15, 2026
Last update June 15, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.

Explanation of Vulnerability in Simple Terms

02Summary

Bunny.net versions up to 2.3.6 lack proper authorization checks, allowing authenticated users to read, modify, or delete data they should not have access to. An attacker with a low-privilege account can exploit this to access other users' information or perform unauthorized actions. The vulnerability requires valid credentials but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete data belonging to other users or restricted resources.

Potential impact on your site

04Site Impact

User data and resources may be exposed to unauthorized access or modification by other authenticated users.

Conditions required to exploit

05Prerequisites

Valid low-privilege account on the Bunny.net platform; network access.

Key dates

06Disclosure timeline

June 15, 2026 CVE published

Related vulnerabilities

08Related CVE