CVE-2024-31361

Vulnerability

Description

The bunny.net WordPress plugin versions from n/a through 2.0.1 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows users with at least contributor-level privileges to inject arbitrary JavaScript or HTML into the plugin's content, which is then stored and served to other users [1].

Exploitation

Conditions

Exploitation requires an authenticated user with contributor or higher role privileges to craft a malicious payload and submit it through the plugin's interface. Successful execution then demands additional user interaction—such as an administrator clicking a link, visiting a crafted page, or submitting a form—to trigger the stored payload in a privileged session [1]. Attackers often chain such vulnerabilities in mass-exploit campaigns against thousands of websites regardless of their traffic or popularity.

Impact

An attacker who successfully exploits this vulnerability can execute arbitrary scripts in the context of the victim's browser when they visit the affected page. This can lead to session hijacking, credential theft, forced redirects to malicious sites, defacement, or injection of advertisements and other HTML payloads [1].

Mitigation

The vulnerability is patched in version 2.0.2 of the bunny.net plugin. Users are strongly advised to update immediately. Patchstack users may enable auto-updates for vulnerable plugins to ensure prompt remediation [1].