Impact
The bunny.net WordPress plugin contains a broken access control flaw in versions 2.3.6 and earlier. An attacker who can reach the plugin’s endpoints may be able to perform subscriber‑level actions or view subscriber data that they should not be authorized to access. This can lead to the disclosure or manipulation of subscriber information and possibly other privileged operations within the WordPress site.
Affected Systems
WordPress sites that install the bunny.net plugin version 2.3.6 or earlier are impacted, as the flaw resides in the plugin’s subscriber component and affects all instances where the plugin is enabled.
Risk and Exploitability
The CVSS score of 6.3 classifies the flaw as moderate, while an EPSS score of less than 1 % indicates a very low probability of exploitation at this time and the issue is not listed in the CISA KEV catalog. The description does not specify the exact attack surface, but it is reasonable to infer that the vulnerability can be exploited via HTTP requests to the plugin’s endpoints, likely requiring access to the WordPress site and possibly some form of authentication or privilege escalation within the plugin.
OpenCVE Enrichment