Bunny Net
Monthly
Broken Access Control in the bunny.net WordPress plugin (versions ≤ 2.3.6) enables subscriber-level authenticated users to invoke functionality restricted to higher-privileged roles, such as administrators. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated requestor holds sufficient privileges before executing sensitive operations. Reported by Patchstack, this is a medium-severity finding (CVSS 6.3); no public exploit code and no CISA KEV listing have been identified at time of analysis, though the low barrier of a standard subscriber account on any affected WordPress site makes it noteworthy for multi-tenant or membership-based deployments.
Broken Access Control in the bunny.net WordPress plugin (versions ≤ 2.3.6) enables subscriber-level authenticated users to invoke functionality restricted to higher-privileged roles, such as administrators. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated requestor holds sufficient privileges before executing sensitive operations. Reported by Patchstack, this is a medium-severity finding (CVSS 6.3); no public exploit code and no CISA KEV listing have been identified at time of analysis, though the low barrier of a standard subscriber account on any affected WordPress site makes it noteworthy for multi-tenant or membership-based deployments.