WP-Safety

Better Click To Share (Formerly Better Click To Tweet) Security & Risk Analysis

wordpress.org/plugins/better-click-to-tweet

Better Click To Share (formerly Better Click To Tweet) inserts styled call-out boxes into your posts so readers can share your content on X in one sim …

7K active installs v6.0.0 PHP + WP 3.8+ Updated Mar 15, 2026
click-to-socialtwitterx-com
98
A · Safe
CVEs total3
Unpatched0
Last CVENov 28, 2022
Plugin page Download
Safety Verdict

Is Better Click To Share (Formerly Better Click To Tweet) Safe to Use in 2026?

Generally Safe

Score 98/100

Better Click To Share (Formerly Better Click To Tweet) has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Nov 28, 2022Updated 20d ago
Risk Assessment

The 'better-click-to-tweet' plugin version 6.0.0 presents a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization, the presence of an unprotected REST API endpoint is a significant concern, increasing the potential attack surface. The 78% proper output escaping indicates a need for further review, as the remaining 22% could still be a vector for cross-site scripting vulnerabilities, especially when considering past vulnerabilities. The vulnerability history, including a high-severity Cross-Site Request Forgery (CSRF) and Improper Neutralization of Input During Web Page Generation (XSS) issues, suggests a pattern of past security weaknesses that require ongoing vigilance.

Despite the lack of currently unpatched CVEs and a generally low count of critical or high-severity taint flows, the unprotected REST API endpoint is a glaring weakness. The vulnerability history, particularly the types of past vulnerabilities, reinforces the need for thorough input validation and output escaping. While the plugin has strengths in its SQL handling and a reasonable number of capability checks, the identified entry points and historical data necessitate a cautious approach and ongoing monitoring.

Key Concerns

  • Unprotected REST API route
  • Output escaping is not 100% proper
  • Vulnerability history includes high severity issues
  • Flows with unsanitized paths found
Vulnerabilities
3

Better Click To Share (Formerly Better Click To Tweet) Security Vulnerabilities

CVEs by Year

3 CVEs in 2022
2022
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

WF-04bdc2ef-a7aa-45a7-b600-be832eefa32e-better-click-to-tweethigh · 8.8Cross-Site Request Forgery (CSRF)

Better Click To Tweet <= 5.10.3 - Cross-Site Request Forgery

Nov 28, 2022 Patched in 5.10.4 (421d)
CVE-2022-45839medium · 6.5Missing Authorization

Better Click To Tweet <= 5.10.3 - Missing Authorization

Nov 28, 2022 Patched in 5.10.4 (421d)
WF-a4c21c56-c424-4667-a281-fa9e7241d8ad-better-click-to-tweetmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better Click To Tweet <= 5.10.1 - Reflected Cross-Site Scripting

Apr 27, 2022 Patched in 5.10.2 (636d)
Code Analysis
Analyzed Mar 16, 2026

Better Click To Share (Formerly Better Click To Tweet) Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
35
122 escaped
Nonce Checks
2
Capability Checks
13
File Operations
0
External Requests
5
Bundled Libraries
1

Bundled Libraries

TinyMCE

Output Escaping

78% escaped157 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
welcome_page (bctt-welcome.php:32)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Better Click To Share (Formerly Better Click To Tweet) Attack Surface

Entry Points2
Unprotected1

REST API Routes 1

GET/wp-json/bctt/v1/connector-agreementbetter-click-to-tweet.php:88

Shortcodes 1

[bctt] better-click-to-tweet.php:42
WordPress Hooks 26
actionadmin_noticesadmin-nags.php:101
actioncurrent_screenadmin-nags.php:122
filtertiny_mce_versionbctt-admin.php:5
actionadmin_menubctt-admin.php:26
actionadmin_initbctt-admin.php:30
actionplugins_loadedbctt-i18n.php:3
actionadmin_initbctt-welcome-functions.php:104
actionadmin_menubctt-welcome.php:22
actionadmin_initbctt-welcome.php:23
actionadmin_enqueue_scriptsbctt-welcome.php:24
actioninitbetter-click-to-tweet.php:27
actionrest_api_initbetter-click-to-tweet.php:125
actionwp_enqueue_scriptsbetter-click-to-tweet.php:345
actionbctt_settings_topincludes\admin-clarifier.php:6
actionwp_abilities_api_categories_initincludes\class-bctt-abilities.php:42
actionwp_abilities_api_initincludes\class-bctt-abilities.php:197
actionadmin_initincludes\updater\bctt-updater.php:160
actionadmin_initincludes\updater\bctt-updater.php:161
actionadmin_initincludes\updater\bctt-updater.php:162
actionadmin_initincludes\updater\bctt-updater.php:353
filterpre_set_site_transient_update_pluginsincludes\updater\BCTT_SL_Plugin_Updater.php:73
filterplugins_apiincludes\updater\BCTT_SL_Plugin_Updater.php:74
actionadmin_initincludes\updater\BCTT_SL_Plugin_Updater.php:77
filterpre_set_site_transient_update_pluginsincludes\updater\BCTT_SL_Plugin_Updater.php:214
actionadmin_menuincludes\updater\license-page.php:22
actionadmin_initincludes\updater\license-page.php:138
Maintenance & Trust

Better Click To Share (Formerly Better Click To Tweet) Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 15, 2026
PHP min version
Downloads650K

Community Trust

Rating96/100
Number of ratings48
Active installs7K
Alternatives

Better Click To Share (Formerly Better Click To Tweet) Alternatives

Nextend Social Login and Register

Nextend Social Login and Register

nextend-facebook-connect

A
89

One click registration & login plugin for Facebook, Google, X (formerly Twitter) and more. Quick setup and easy configuration.

200K 6 CVEs
Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Custom Twitter Feeds – A Tweets Widget or X Feed Widget

custom-twitter-feeds

A
97

Display X posts (Twitter tweets) from any public user account in a clean, attractive looking feed that updates weekly.

100K 7 CVEs
Comments – wpDiscuz

Comments – wpDiscuz

wpdiscuz

B
75

AJAX powered realtime comments. Designed to extend WordPress native comments. Custom comment forms/fields. Making comments has never been so awesome!

80K 24 CVEs
Open Graph and Twitter Card Tags

Open Graph and Twitter Card Tags

wonderm00ns-simple-facebook-open-graph-tags

A
99

Improve social media sharing by inserting Facebook Open Graph, Twitter Card, and SEO Meta Tags on your WordPress website pages, posts, WooCommerce pro &hellip;

60K 2 CVEs
Social Media Widget

Social Media Widget

social-media-widget

A
87

Adds links to all of your social media and sharing site profiles. Tons of icons come in 3 sizes, 4 icon styles, and 4 animations.

30K 3 CVEs
Developer Profile

Better Click To Share (Formerly Better Click To Tweet) Developer Profile

Ben Meredith

3 plugins · 11K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
493 days
View full developer profile
Detection Fingerprints

How We Detect Better Click To Share (Formerly Better Click To Tweet)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/better-click-to-tweet/assets/css/bctt-frontend.css/wp-content/plugins/better-click-to-tweet/assets/js/bctt-frontend.js
Script Paths
/wp-content/plugins/better-click-to-tweet/assets/js/bctt-frontend.js
Version Parameters
better-click-to-tweet/assets/css/bctt-frontend.css?ver=better-click-to-tweet/assets/js/bctt-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
bctt-click-to-tweetbctt-ctt-textbctt-ctt-btn
Data Attributes
data-bctt-tweetdata-bctt-viadata-bctt-usernamedata-bctt-urldata-bctt-prompt
JS Globals
bctt_optionsbctt_frontend
REST Endpoints
/bctt/v1/connector-agreement
Shortcode Output
<aclass="twitter-share-button"href="https://twitter.com/intent/tweet?url=text=
FAQ

Frequently Asked Questions about Better Click To Share (Formerly Better Click To Tweet)