WordPress Plugin Vulnerabilities

bunny.net < 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The bunny.net plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
bunnycdn
Fixed in 2.3.1

References

CVE
CVE-2025-48236
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/926201d1-36bd-451f-a433-862e0484b36d

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
b44ac064-2429-4aa4-a422-51fdb741fe1e

Timeline

Publicly Published
2025-05-19 (about 1 year ago)
Added
2025-05-28 (about 1 year ago)
Last Updated
2025-05-28 (about 1 year ago)

Other

Published
Title
Published
2025-09-05
Title
ARI Fancy Lightbox < 1.4.1 - Contributor+ Stored XSS
Published
2024-03-25
Title
Travelers' Map < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-08-30
Title
WishSuite < 1.3.5 - Admin+ Stored XSS
Published
2026-04-21
Title
Buzz Comments <= 0.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Buzz Avatar' Setting
Published
2025-06-06
Title
Essential Addons for Elementor < 6.1.13 - Contributor+ Stored XSS via Event Calendar Widget