Does Broken Link Checker have any unpatched vulnerabilities?

No. All known vulnerabilities in Broken Link Checker have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Broken Link Checker compatible with WordPress 6.9.4?

According to WordPress.org data, Broken Link Checker 2.4.8 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Broken Link Checker compatible with PHP 7.4+?

Broken Link Checker requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Broken Link Checker updated?

Broken Link Checker was last updated on Mar 11, 2026. Frequent updates are generally a positive security signal.

What is Broken Link Checker's security score?

Broken Link Checker has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Broken Link Checker Security & Risk Analysis

wordpress.org/plugins/broken-link-checker

Broken Link Checker helps you catch broken links & images fast, before they hurt your SEO or UX. Scan and bulk-fix issues from one easy dashboard.

500K active installs v2.4.8 PHP 7.4+ WP 5.2+ Updated Mar 11, 2026

broken-imagesbroken-linksexternal-linkinternal-linklinks

A · Safe

CVEs total11

Unpatched0

Last CVEJun 2, 2025

Plugin page Download

Safety Verdict

Is Broken Link Checker Safe to Use in 2026?

Generally Safe

Score 91/100

Broken Link Checker has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Jun 2, 2025Updated 23d ago

Risk Assessment

The Broken Link Checker plugin, version 2.4.8, presents a mixed security posture. While the code analysis shows a commendable effort in using prepared statements for SQL queries (85%) and proper output escaping (82%), there are significant concerns. A total of 13 AJAX handlers are present, with 3 lacking authentication checks, creating a direct attack surface. The taint analysis, though limited in scope with only 10 flows analyzed, did reveal one flow with unsanitized paths, which could potentially lead to local file inclusion or similar vulnerabilities if exploited. The plugin's vulnerability history is particularly concerning, with 11 known CVEs, including 2 high-severity vulnerabilities related to Missing Authorization and SSRF. The fact that all previously identified CVEs are now patched is a positive sign, but the historical prevalence of these serious vulnerability types suggests a pattern of insecure coding practices that require ongoing vigilance and diligent updates. Overall, the plugin has some strengths in its data handling practices but is weakened by its exposed AJAX endpoints and historical security issues.

Key Concerns

3 unprotected AJAX handlers
Flow with unsanitized paths
2 High severity CVEs historically
9 Medium severity CVEs historically

Vulnerabilities

Broken Link Checker Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

2 CVEs in 2015

2015

2 CVEs in 2019

2019

2 CVEs in 2022

2022

3 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

11 total CVEs

CVE-2025-4047medium · 4.3Missing Authorization

Broken Link Checker <= 2.4.4 - Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View

Jun 2, 2025 Patched in 2.4.5 (1d)

CVE-2024-10903medium · 5.5Server-Side Request Forgery (SSRF)

Broken Link Checker <= 2.4.1 - Authenticated (Admin+) Server-Side Request Forgery

Dec 5, 2024 Patched in 2.4.2 (44d)

CVE-2024-8981high · 7.1Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Broken Link Checker <= 2.4.0 - Reflected Cross-Site Scripting

Sep 30, 2024 Patched in 2.4.1 (1d)

CVE-2024-25592medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broken Link Checker <= 2.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Feb 12, 2024 Patched in 2.2.4 (3d)

CVE-2022-3922medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broken Link Checker <= 1.11.19 - Authenticated (Administrator+) Stored Cross-Site Scripting

Nov 11, 2022 Patched in 1.11.20 (438d)

CVE-2022-2438high · 7.2Deserialization of Untrusted Data

Broken Link Checker <= 1.11.16 - Authenticated (Admin+) PHAR Deserialization

Jul 18, 2022 Patched in 1.11.17 (554d)

CVE-2019-16521medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broken Link Checker <= 1.11.8 - Reflected Cross-Site Scripting

Oct 15, 2019 Patched in 1.11.9 (1561d)

CVE-2019-17207medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broken Link Checker <= 1.11.8 - Reflected Cross-Site Scripting

Oct 14, 2019 Patched in 1.11.9 (1562d)

CVE-2015-5057medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broken Link Checker <= 1.10.8 - Cross-Site Scripting

Jun 29, 2015 Patched in 1.10.9 (3130d)

CVE-2015-10098medium · 5.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broken Link Checker < 1.10.6 - Reflected Cross Site Scripting

Apr 20, 2015 Patched in 1.10.6 (3216d)

CVE-2014-125105medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Broken Link Checker < 1.10.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Dec 5, 2014 Patched in 1.10.2 (3336d)

Code Analysis

Analyzed Mar 16, 2026

Broken Link Checker Code Analysis

Dangerous Functions

Raw SQL Queries

106 prepared

Unescaped Output

425 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

85% prepared125 total queries

Output Escaping

82% escaped518 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

10 flows1 with unsanitized paths

links_page (legacy\core\core.php:1861)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Broken Link Checker Attack Surface

Entry Points13

Unprotected3

AJAX Handlers 13

authwp_ajax_wpmudev_blc_multisite_notification_dismissapp\admin-notices\multisite\class-controller.php:40

authwp_ajax_blc_full_statuslegacy\core\core.php:131

authwp_ajax_blc_dashboard_statuslegacy\core\core.php:132

authwp_ajax_blc_worklegacy\core\core.php:133

authwp_ajax_blc_discardlegacy\core\core.php:134

authwp_ajax_blc_editlegacy\core\core.php:135

authwp_ajax_blc_link_detailslegacy\core\core.php:136

authwp_ajax_blc_unlinklegacy\core\core.php:137

authwp_ajax_blc_rechecklegacy\core\core.php:138

authwp_ajax_blc_deredirectlegacy\core\core.php:139

authwp_ajax_blc_current_loadlegacy\core\core.php:140

authwp_ajax_blc_dismisslegacy\core\core.php:142

authwp_ajax_blc_undismisslegacy\core\core.php:143

WordPress Hooks 115

actioncurrent_screenapp\admin-modals\legacy\class-controller.php:62

filteradmin_body_classapp\admin-modals\legacy\class-controller.php:72

actionadmin_footerapp\admin-modals\legacy\class-controller.php:73

actioncurrent_screenapp\admin-modals\local\class-controller.php:63

filteradmin_body_classapp\admin-modals\local\class-controller.php:71

filteradmin_body_classapp\admin-notices\legacy\class-controller.php:62

filteradmin_body_classapp\admin-notices\multisite\class-controller.php:94

actionadmin_enqueue_scriptsapp\admin-notices\multisite\class-controller.php:95

actionrest_api_initapp\admin-pages\cloud-page\class-controller.php:88

filterrest_prepare_userapp\admin-pages\cloud-page\class-controller.php:145

actionwpmudev_hub_connector_first_sync_completedapp\admin-pages\cloud-page\class-controller.php:146

filterwpmudev_hub_connector_localize_text_varsapp\admin-pages\cloud-page\class-controller.php:147

actionrest_api_initapp\admin-pages\cloud-page\class-controller.php:152

filteradmin_body_classapp\admin-pages\cloud-page\class-controller.php:400

actionadmin_enqueue_scriptsapp\admin-pages\cloud-submenu\class-controller.php:62

actionadmin_menuapp\admin-pages\cloud-submenu\class-controller.php:63

actionadmin_menuapp\admin-pages\local-submenu\class-controller.php:104

actioninitapp\options\settings\class-controller.php:47

actionwpmudev_blc_plugin_activatedapp\options\settings\class-controller.php:49

actionload-toplevel_page_blc_dashapp\options\settings\class-controller.php:52

actionload-link-checker_page_blc_localapp\options\settings\class-controller.php:55

actiondeleted_userapp\options\settings\class-controller.php:57

actionremove_user_from_blogapp\options\settings\class-controller.php:58

actionrest_api_initapp\rest-endpoints\avatars\class-controller.php:49

actionrest_api_initapp\rest-endpoints\scan\class-controller.php:51

actionrest_api_initapp\rest-endpoints\settings\class-controller.php:72

actionwpmudev_blc_plugin_deactivatedapp\scheduled-events\edit-links\class-controller.php:64

actionwpmudev_blc_plugin_deactivatedapp\scheduled-events\legacy\class-controller.php:56

actionwpmudev_blc_rest_enpoints_switch_version_modeapp\scheduled-events\legacy\class-controller.php:57

filterblc_allow_send_email_notificationapp\scheduled-events\legacy\class-controller.php:101

actionwpmudev_blc_rest_enpoints_after_save_schedule_settingsapp\scheduled-events\scan\class-controller.php:68

actionwpmudev_blc_plugin_deactivatedapp\scheduled-events\scan\class-controller.php:70

actionwpmudev_blc_plugin_deactivatedapp\scheduled-events\sync-scan-results\class-controller.php:55

actioninitapp\submodules\black-friday\class-controller.php:35

actioninitapp\submodules\cross-sell\class-controller.php:41

actionplugins_loadedbroken-link-checker.php:125

actionplugins_loadedbroken-link-checker.php:148

actioninitcore\class-loader.php:159

actionwp_enqueue_scriptscore\class-loader.php:164

actionadmin_enqueue_scriptscore\class-loader.php:165

actionadmin_initcore\controllers\class-admin-notice.php:75

actioncurrent_screencore\controllers\class-admin-notice.php:86

filteradmin_body_classcore\controllers\class-admin-notice.php:101

actionadmin_noticescore\controllers\class-admin-notice.php:102

actionadmin_menucore\controllers\class-admin-page.php:175

actionadmin_menucore\controllers\class-admin-page.php:176

actionadmin_initcore\controllers\class-admin-page.php:177

actioncurrent_screencore\controllers\class-admin-page.php:280

filteradmin_body_classcore\controllers\class-admin-page.php:294

filterwdp_register_hub_actioncore\controllers\class-hub-endpoint.php:53

filterthe_postscore\controllers\class-virtual-post.php:91

actioninitcore\controllers\class-webhook.php:92

filterquery_varscore\controllers\class-webhook.php:93

actionparse_requestcore\controllers\class-webhook.php:94

actionwpmudev_blc_plugin_activatedcore\controllers\class-webhook.php:95

actionwpmudev_blc_plugin_deactivatedcore\controllers\class-webhook.php:96

filtercomments_arraycore\controllers\class-webhook.php:168

filtercomments_opencore\controllers\class-webhook.php:171

filterpings_opencore\controllers\class-webhook.php:174

actionwp_loadedcore\controllers\class-webhook.php:216

actioninitcore\traits\trait-cron.php:87

actionwpmudev_blc_plugin_activatedcore\traits\trait-cron.php:122

actionwpmudev_blc_plugin_deactivatedcore\traits\trait-cron.php:123

filtercron_schedulescore\traits\trait-cron.php:126

actionadmin_menulegacy\core\core.php:110

actionwp_dashboard_setuplegacy\core\core.php:128

actionblc_cron_email_notificationslegacy\core\core.php:149

actionblc_cron_check_linkslegacy\core\core.php:150

actionblc_cron_database_maintenancelegacy\core\core.php:151

actionblc_corn_clear_log_filelegacy\core\core.php:152

actionadmin_footerlegacy\core\core.php:155

actionadmin_noticeslegacy\core\core.php:170

filterwp_insert_post_datalegacy\core\core.php:173

filterplugin_action_linkslegacy\core\core.php:421

filterblc-module-settings-custom_fieldlegacy\core\core.php:882

filterblc-module-settings-acf_fieldlegacy\core\core.php:883

filterwp_mail_content_typelegacy\core\core.php:4333

filtercron_scheduleslegacy\core\init.php:254

actionwp_headlegacy\core\init.php:306

actioninitlegacy\core\init.php:310

actionadmin_noticeslegacy\core\init.php:362

actiondelete_postlegacy\includes\any-post.php:74

actionsave_postlegacy\includes\any-post.php:75

actiontrashed_postlegacy\includes\any-post.php:77

actionuntrash_postlegacy\includes\any-post.php:78

filterthe_contentlegacy\includes\any-post.php:89

actionwp_headlegacy\includes\any-post.php:91

filterextra_plugin_headerslegacy\includes\module-manager.php:34

actionadmin_noticeslegacy\includes\screen-meta-links.php:34

actionadmin_print_styleslegacy\includes\screen-meta-links.php:35

actioncurrent_screenlegacy\includes\screen-options\screen-options.php:28

filterscreen_settingslegacy\includes\screen-options\screen-options.php:29

actionadmin_print_scriptslegacy\includes\screen-options\screen-options.php:30

filtercron_scheduleslegacy\init.php:271

actionwp_headlegacy\init.php:339

actioninitlegacy\init.php:343

actionadmin_noticeslegacy\init.php:395

filterblc-parser-html-link-contentlegacy\integrations\siteorigin.php:20

filterblc_parser_html_link_pre_contentlegacy\integrations\siteorigin.php:21

filterblc_parser_html_link_post_contentlegacy\integrations\siteorigin.php:22

actionacf/save_postlegacy\modules\containers\acf_field.php:434

actiondelete_postlegacy\modules\containers\acf_field.php:437

actiontrash_postlegacy\modules\containers\acf_field.php:438

actionuntrashed_postlegacy\modules\containers\acf_field.php:441

actionadd_linklegacy\modules\containers\blogroll.php:179

actionedit_linklegacy\modules\containers\blogroll.php:180

actiondelete_linklegacy\modules\containers\blogroll.php:181

actionpost_commentlegacy\modules\containers\comment.php:235

actionedit_commentlegacy\modules\containers\comment.php:236

actiontransition_comment_statuslegacy\modules\containers\comment.php:237

actiontrashed_post_commentslegacy\modules\containers\comment.php:239

actionuntrash_post_commentslegacy\modules\containers\comment.php:240

actiondelete_postlegacy\modules\containers\custom_field.php:429

actiontrash_postlegacy\modules\containers\custom_field.php:430

actionuntrashed_postlegacy\modules\containers\custom_field.php:433

Scheduled Events 4

blc_cron_check_links

blc_cron_email_notifications

blc_cron_database_maintenance

blc_corn_clear_log_file

Maintenance & Trust

Broken Link Checker Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version7.4

Downloads22.3M

Community Trust

Rating76/100

Number of ratings592

Active installs500K

Alternatives

Broken Link Checker Alternatives

Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links

broken-link-checker-seo

Broken Link Checker by AIOSEO ensures all links on your website are working. Check your site for broken links and easily fix them to improve SEO.

300K 3 CVEs

External Links Overview

external-links-overview

100

Analyze, manage, and monitor all external links on your WordPress site. ---

700 No CVEs

LinkMaster – Link Management, SEO, Broken Links & Redirects

linkmaster

100

LinkMaster: Manage links with custom permalinks, SEO redirects, link cloaking, auto link injection and a broken link checker for WordPress.

200 No CVEs

anyLink

anylink

AnyLink is a Wordpress plugin which allow you to customise you external link like an internal one.

100 No CVEs

WhereUsed

where-used

100

Where used? This plugin helps you find usage of attachments, posts, links, blocks and more in all post types, taxonomy terms, post meta, user meta, an …

60 No CVEs

Developer Profile

Broken Link Checker Developer Profile

WPMU DEV - Your All-in-One WordPress Platform

9 plugins · 2.4M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

396 days

View full developer profile

Detection Fingerprints

How We Detect Broken Link Checker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/broken-link-checker/core/admin/css/blc-admin-styles.css/wp-content/plugins/broken-link-checker/core/admin/js/blc-admin-scripts.js/wp-content/plugins/broken-link-checker/core/ui/css/shared-ui.css/wp-content/plugins/broken-link-checker/core/ui/js/shared-ui.js

Script Paths

/wp-content/plugins/broken-link-checker/core/admin/js/blc-admin-scripts.js/wp-content/plugins/broken-link-checker/core/ui/js/shared-ui.js

Version Parameters

broken-link-checker/core/admin/css/blc-admin-styles.css?ver=broken-link-checker/core/admin/js/blc-admin-scripts.js?ver=broken-link-checker/core/ui/css/shared-ui.css?ver=broken-link-checker/core/ui/js/shared-ui.js?ver=

HTML / DOM Fingerprints

CSS Classes

blc-plugin-admin-page

HTML Comments

This plugin is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 2 of the License, or
any later version.

Broken Link Checker is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Broken Link Checker. If not, see https://www.gnu.org/licenses/gpl-2.0.html.

Broken Link Checker is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 2 of the License, or
any later version.

Broken Link Checker is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Broken Link Checker. If not, see https://www.gnu.org/licenses/gpl-2.0.html.

Data Attributes

data-blc-module-iddata-blc-module-context

JS Globals

WPMUDEV_BLC_VERSIONWPMUDEV_BLC_BASENAMEWPMUDEV_BLC_DIRWPMUDEV_BLC_URLWPMUDEV_BLC_ASSETS_URLWPMUDEV_BLC_SCIPTS_VERSION+2 more

FAQ