WP-Safety

bunny.net – WordPress CDN Plugin Security & Risk Analysis

wordpress.org/plugins/bunnycdn

Enable Bunny CDN to speed up your WordPress website and enjoy greatly improved loading times around the world.

10K active installs v3.0.1 PHP 8.1+ WP 6.7+ Updated Apr 9, 2026
bandwidthcdncontent-delivery-networkperformancestream
96
A · Safe
CVEs total3
Unpatched0
Last CVEMay 7, 2026
Plugin page Download
Safety Verdict

Is bunny.net – WordPress CDN Plugin Safe to Use in 2026?

Generally Safe

Score 96/100

bunny.net – WordPress CDN Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: May 7, 2026Updated 1mo ago
Risk Assessment

The bunnycdn plugin v3.0.0 presents a mixed security posture. While it demonstrates good practices in areas like using prepared statements for all SQL queries and a significant percentage of properly escaped output, there are notable areas of concern. The presence of two unprotected entry points (one AJAX handler and one REST API route) is a significant risk, as these could be exploited by unauthenticated users. The taint analysis, while not revealing critical or high severity issues, did find 8 flows with unsanitized paths, indicating potential for information disclosure or unexpected behavior if specific input vectors are leveraged.

The vulnerability history shows two known medium severity CVEs, both related to Cross-site Scripting. The fact that the last vulnerability was dated in the future (2025-05-19) suggests this data might be hypothetical or a future projection. If these CVEs were indeed in the wild, it indicates a past struggle with input validation leading to XSS. The absence of currently unpatched vulnerabilities is a positive sign, but the pattern of XSS vulnerabilities warrants continued vigilance. Overall, the plugin has strengths in its database query security but needs to address its exposed entry points and the identified unsanitized paths to improve its security.

Key Concerns

  • Unprotected AJAX handler
  • REST API route without permission callback
  • Taint flows with unsanitized paths detected
  • Medium severity XSS vulnerabilities historically
Vulnerabilities
3 published

bunny.net – WordPress CDN Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-68049medium · 4.3Missing Authorization

bunny.net – WordPress CDN Plugin <= 2.3.6 - Missing Authorization

May 7, 2026 Patched in 2.3.7 (5d)
CVE-2025-48236medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

bunny.net <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 19, 2025 Patched in 2.3.1 (10d)
CVE-2024-31361medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

bunny.net – WordPress CDN Plugin <= 2.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 8, 2024 Patched in 2.0.2 (9d)
Version History

bunny.net – WordPress CDN Plugin Release Timeline

v3.0.1Current
v3.0.0
v2.3.8
v2.3.7
v2.3.61 CVE
CVE-2025-68049
v2.3.51 CVE
CVE-2025-68049
v2.3.41 CVE
CVE-2025-68049
v2.3.31 CVE
CVE-2025-68049
v2.3.21 CVE
CVE-2025-68049
v2.3.11 CVE
CVE-2025-68049
v2.3.02 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.292 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.282 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.272 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.262 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.252 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.242 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.232 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.222 CVEs
CVE-2025-48236 CVE-2025-68049
v2.2.212 CVEs
CVE-2025-48236 CVE-2025-68049
Code Analysis
Analyzed Mar 16, 2026

bunny.net – WordPress CDN Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
30 prepared
Unescaped Output
69
225 escaped
Nonce Checks
11
Capability Checks
6
File Operations
5
External Requests
0
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

100% prepared30 total queries

Output Escaping

77% escaped294 total outputs
Data Flows · Security
8 unsanitized

Data Flow Analysis

8 flows8 with unsanitized paths
run (src\Admin\Controller\Attachment.php:34)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

bunny.net – WordPress CDN Plugin Attack Surface

Entry Points7
Unprotected2

AJAX Handlers 1

authwp_ajax_bunnycdnadmin.php:105

REST API Routes 5

GET/wp-json/bunnycdn/v2/offloader/syncsrc\REST\Controller.php:52
GET/wp-json/bunnycdn/v2/stream/configsrc\REST\Controller.php:53
GET/wp-json/bunnycdn/v2/stream/videossrc\REST\Controller.php:54
GET/wp-json/bunnycdn/v2/stream/videosrc\REST\Controller.php:55
GET/wp-json/bunnycdn/v2/stream/videoStatussrc\REST\Controller.php:56

Shortcodes 1

[bunnycdn_stream_video] bunnycdn.php:79
WordPress Hooks 19
actionadmin_menuadmin.php:49
filtersubmenu_fileadmin.php:94
actionload-toplevel_page_bunnycdnadmin.php:109
actionwp_print_scriptsadmin.php:124
actionadmin_noticesadmin.php:141
actionupgrader_process_completebunnycdn.php:47
actioninitbunnycdn.php:58
actionrest_api_initbunnycdn.php:74
filtercron_schedulesbunnycdn.php:81
filterbunnycdn_offloader_cron_hookbunnycdn.php:82
actiontemplate_redirectsrc\HtmlRewriter.php:49
filterwp_resource_hintssrc\HtmlRewriter.php:53
filterwp_handle_upload_overridessrc\Offloader.php:54
filterupdate_attached_filesrc\Offloader.php:55
actiondelete_attachmentsrc\Offloader.php:56
filterwp_delete_filesrc\Offloader.php:57
filterimage_make_intermediate_sizesrc\Offloader.php:58
filterwp_generate_attachment_metadatasrc\Offloader.php:59
actionupdated_postmetasrc\Offloader.php:60
Maintenance & Trust

bunny.net – WordPress CDN Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 9, 2026
PHP min version8.1
Downloads615K

Community Trust

Rating60/100
Number of ratings20
Active installs10K
Alternatives

bunny.net – WordPress CDN Plugin Alternatives

RocketCDN – WordPress CDN Plugin

RocketCDN – WordPress CDN Plugin

rocketcdn

A
100

RocketCDN plugin is the easiest WordPress CDN plugin. It automatically rewrites all URLs to be served by our content delivery network (CDN).

100 No CVEs
Gcore CDN

Gcore CDN

g-core-labs-cdn

A
85

Gcore Plugin

90 No CVEs
powerwaf.com – WordPress WAF & CDN Plugin

powerwaf.com – WordPress WAF & CDN Plugin

powerwaf-cdn

A
85

Accelerate and protect your website to the maximum with PowerWAF CDN. With this plugin you can keep dynamic content updated at the edge to increase de &hellip;

0 No CVEs
Shift8 CDN

Shift8 CDN

shift8-cdn

A
100

This is a plugin that integrates a 100% free CDN service operated by Shift8, for your Wordpress site. What this means is that you can simply install t &hellip;

800 No CVEs
CDN Bull

CDN Bull

cdn-bull

A
100

Enable CDN URLs for your static assets such as images, CSS or JavaScript files.

20 No CVEs
Developer Profile

bunny.net – WordPress CDN Plugin Developer Profile

bunny.net

1 plugin · 10K total installs

91
trust score
Avg Security Score
96/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect bunny.net – WordPress CDN Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bunnycdn/assets/css/admin-thickbox.css/wp-content/plugins/bunnycdn/assets/css/admin.css/wp-content/plugins/bunnycdn/assets/css/slimselect.min.css/wp-content/plugins/bunnycdn/assets/js/admin-redirect.js/wp-content/plugins/bunnycdn/assets/js/admin-thickbox.js/wp-content/plugins/bunnycdn/assets/js/admin.js/wp-content/plugins/bunnycdn/assets/js/slimselect.min.js
Script Paths
/wp-content/plugins/bunnycdn/assets/js/admin.js/wp-content/plugins/bunnycdn/assets/js/admin-redirect.js/wp-content/plugins/bunnycdn/assets/js/admin-thickbox.js/wp-content/plugins/bunnycdn/assets/js/slimselect.min.js
Version Parameters
bunnycdn/assets/css/admin-thickbox.css?ver=bunnycdn/assets/css/admin.css?ver=bunnycdn/assets/css/slimselect.min.css?ver=bunnycdn/assets/js/admin-redirect.js?ver=bunnycdn/assets/js/admin-thickbox.js?ver=bunnycdn/assets/js/admin.js?ver=bunnycdn/assets/js/slimselect.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
bunnycdn-admin-settings
HTML Comments
bunny.net WordPress PluginCopyright (C) 2024-2025 BunnyWay d.o.o.This program is free software: you can redistribute it and/or modifyit under the terms of the GNU General Public License as published by+8 more
Data Attributes
data-nonce
JS Globals
BunnyCDNAdmin
REST Endpoints
/wp-json/bunnycdn/v1/settings/wp-json/bunnycdn/v1/scanner/wp-json/bunnycdn/v1/zones/wp-json/bunnycdn/v1/assets/wp-json/bunnycdn/v1/pullzones/wp-json/bunnycdn/v1/pullzone/assets
Shortcode Output
[bunnycdn_stream_video
FAQ

Frequently Asked Questions about bunny.net – WordPress CDN Plugin