WP-Safety

Bulk NoIndex & NoFollow Toolkit Security & Risk Analysis

wordpress.org/plugins/bulk-noindex-nofollow-toolkit-by-mad-fish

Bulk set the noindex / nofollow robots tag for posts, pages, categories, and author URLs. Easily identify thin content and noindex it fast.

2K active installs v2.30 PHP 5.6+ WP 4.1+ Updated Mar 8, 2026
all-in-one-seo-aioseobulk-noindex-nofollowrank-mathseo-penalty-recoveryyoast
97
A · Safe
CVEs total5
Unpatched0
Last CVEApr 1, 2025
Plugin page Download
Safety Verdict

Is Bulk NoIndex & NoFollow Toolkit Safe to Use in 2026?

Generally Safe

Score 97/100

Bulk NoIndex & NoFollow Toolkit has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: Apr 1, 2025Updated 2mo ago
Risk Assessment

The "bulk-noindex-nofollow-toolkit-by-mad-fish" plugin v2.30 presents a mixed security posture. While it demonstrates good practices in handling SQL queries with prepared statements and a very low rate of unescaped outputs, several significant concerns arise from the static analysis. The plugin has a considerable attack surface consisting of 6 AJAX handlers, all of which lack proper authentication checks. This is a critical weakness that could allow unauthenticated users to trigger potentially sensitive actions.

The vulnerability history is also a concern, with a total of 5 known CVEs, all of which were medium severity. The common vulnerability types being Cross-site Scripting and Missing Authorization, directly correlate with the findings of unprotected AJAX handlers. The fact that all past vulnerabilities are currently patched is a positive, but the recurring nature of these vulnerability types suggests a potential ongoing weakness in how user input is handled and access is controlled.

In conclusion, the plugin has strengths in its SQL handling and output escaping. However, the lack of authorization checks on a significant portion of its AJAX endpoints, coupled with a history of similar vulnerabilities, creates a substantial risk of unauthorized actions and potential cross-site scripting attacks if not addressed. Users should be cautious and ensure the latest patches are applied, but the fundamental architectural flaw in unprotected AJAX handlers requires remediation.

Key Concerns

  • AJAX handlers without auth checks
  • 5 medium severity CVEs in history
  • 71% properly escaped outputs
Vulnerabilities
5 published

Bulk NoIndex & NoFollow Toolkit Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2025-31537medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bulk NoIndex & NoFollow Toolkit <= 2.16 - Reflected Cross-Site Scripting

Apr 1, 2025 Patched in 2.20 (18d)
CVE-2024-8803medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bulk NoIndex & NoFollow Toolkit <= 2.15 - Reflected Cross-Site Scripting

Sep 25, 2024 Patched in 2.16 (1d)
CVE-2024-29791medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bulk NoIndex & NoFollow Toolkit <= 2.01 - Reflected Cross-Site Scripting via tab, order, and orderby

Mar 25, 2024 Patched in 2.10 (5d)
CVE-2023-45065medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bulk NoIndex & NoFollow Toolkit <= 1.42 - Reflected Cross-Site Scripting via 's'

Oct 3, 2023 Patched in 1.5 (112d)
CVE-2023-41688medium · 4.3Missing Authorization

Bulk NoIndex & NoFollow Toolkit <= 1.5 - Missing Authorization

Sep 4, 2023 Patched in 1.51 (141d)
Version History

Bulk NoIndex & NoFollow Toolkit Release Timeline

v2.30Current
v2.20
v2.161 CVE
CVE-2025-31537
v2.152 CVEs
CVE-2025-31537 CVE-2024-8803
Code Analysis
Analyzed Mar 16, 2026

Bulk NoIndex & NoFollow Toolkit Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
29
70 escaped
Nonce Checks
6
Capability Checks
9
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

71% escaped99 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

4 flows
update_cat_bulk_callback (inc\bulk-noindex-toolkit-class.php:594)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Bulk NoIndex & NoFollow Toolkit Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_update_page_callbackbulk-noindex-toolkit.php:23
authwp_ajax_update_page_bulk_callbackbulk-noindex-toolkit.php:24
authwp_ajax_update_cat_callbackbulk-noindex-toolkit.php:26
authwp_ajax_update_cat_bulk_callbackbulk-noindex-toolkit.php:27
authwp_ajax_update_author_callbackbulk-noindex-toolkit.php:29
authwp_ajax_update_author_bulk_callbackbulk-noindex-toolkit.php:30
WordPress Hooks 7
actionadmin_menubulk-noindex-toolkit.php:20
actionsave_postbulk-noindex-toolkit.php:36
actionwp_headbulk-noindex-toolkit.php:39
filterwpseo_robotsinc\bulk-noindex-toolkit-class.php:149
filteraioseo_robots_metainc\bulk-noindex-toolkit-class.php:178
filterrank_math/frontend/robotsinc\bulk-noindex-toolkit-class.php:192
filterwp_robotsinc\bulk-noindex-toolkit-class.php:206
Maintenance & Trust

Bulk NoIndex & NoFollow Toolkit Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 8, 2026
PHP min version5.6
Downloads26K

Community Trust

Rating86/100
Number of ratings9
Active installs2K
Alternatives

Bulk NoIndex & NoFollow Toolkit Alternatives

Auto Focus Keyword for SEO

Auto Focus Keyword for SEO

auto-focus-keyword-for-seo

A
100

Automatically fill missing Yoast SEO or Rank Math focus keywords from post titles. Batch sync, exclusions, and Pro auto-sync.

2K No CVEs
TextBulker (IA Redaction)

TextBulker (IA Redaction)

textbulker

A
100

Official plugin for TextBulker.com – inject SEO metadata via REST API when publishing AI-generated content.

2K No CVEs
SEO Rocket Integration

SEO Rocket Integration

seo-rocket-integration

A
100

Publish SEO-optimized articles from SEO Rocket with automatic Yoast SEO and Rank Math metadata sync.

100 No CVEs
Unique Slug Checker

Unique Slug Checker

unique-slug-checker

A
92

Prevent duplicate slugs in WordPress with real-time detection for editors and SEO plugins.

50 No CVEs
Noindex Parameters

Noindex Parameters

noindex-parameters

A
100

Prevent search engines from indexing URLs with specific parameters. Compatible with Rank Math, Yoast SEO, and WordPress core.

40 No CVEs
Developer Profile

Bulk NoIndex & NoFollow Toolkit Developer Profile

madfishdigital

1 plugin · 2K total installs

86
trust score
Avg Security Score
97/100
Avg Patch Time
55 days
View full developer profile
Detection Fingerprints

How We Detect Bulk NoIndex & NoFollow Toolkit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bulk-noindex-nofollow-toolkit-by-mad-fish/admin/css/bulk-noindex-toolkit.css/wp-content/plugins/bulk-noindex-nofollow-toolkit-by-mad-fish/admin/js/bulk-noindex-toolkit.js
Script Paths
/wp-content/plugins/bulk-noindex-nofollow-toolkit-by-mad-fish/admin/js/bulk-noindex-toolkit.js
Version Parameters
bulk-noindex-nofollow-toolkit-by-mad-fish/admin/css/bulk-noindex-toolkit.css?ver=bulk-noindex-nofollow-toolkit-by-mad-fish/admin/js/bulk-noindex-toolkit.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- robots meta tag updated by Mad Fish bulk noindex plugin https://www.madfishdigital.com/wp-plugins/ -->
Data Attributes
data-bnitk-noindexdata-bnitk-nofollowdata-bnitk-update-type
JS Globals
bulkToolKitAjaxUrlbulkNoindexToolkitObject
REST Endpoints
/wp-json/bnitkmfd/v1/update/post/wp-json/bnitkmfd/v1/update/bulk/posts/wp-json/bnitkmfd/v1/update/term/wp-json/bnitkmfd/v1/update/bulk/terms/wp-json/bnitkmfd/v1/update/author/wp-json/bnitkmfd/v1/update/bulk/authors
FAQ

Frequently Asked Questions about Bulk NoIndex & NoFollow Toolkit