bunny.net – WordPress CDN Plugin < 2.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2024-31361 | Plugin Vulnerabilities

Description

The bunny.net – WordPress CDN Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 2.0.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3a31147b-791c-436f-9407-43485ec2ef50

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Chan

Verified

No

WPVDB ID

bede6fa8-9493-4179-9287-f54d5bc31c6f

Timeline

Publicly Published

2024-04-08 (about 1 year ago)

Added

2024-04-16 (about 1 year ago)

Last Updated

2024-04-16 (about 1 year ago)

Other

Published

Title

Published

2026-01-13

Title

WMF Mobile Redirector <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters

Published

2024-08-04

Title

Cooked – Recipe Management < 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-08-28

Title

SureCart < 2.29.4 - Reflected Cross-Site Scripting

Published

2024-04-22

Title

Schema & Structured Data for WP & AMP < 1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via How To and FAQ Blocks

Published

2025-02-26

Title

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty < 3.3.6 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting