WP-Safety

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Security & Risk Analysis

wordpress.org/plugins/pretty-link

🌠 The best WordPress link management, branding, tracking, sharing and payments plugin. Easily make pretty & trackable shortlinks. 🔗

300K active installs v3.6.20 PHP 7.4+ WP 6.0+ Updated Jan 21, 2026
affiliate-linksecommercelink-trackingpaymentsstripe
90
A · Safe
CVEs total8
Unpatched0
Last CVEMay 19, 2025
Plugin page Download
Safety Verdict

Is PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Safe to Use in 2026?

Generally Safe

Score 90/100

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: May 19, 2025Updated 2mo ago
Risk Assessment

The 'pretty-link' plugin, version 3.6.20, exhibits a mixed security posture. While it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, several concerning areas warrant attention. The significant attack surface, with 49 AJAX handlers, 20 of which lack authentication checks, presents a considerable risk. Furthermore, the presence of a `unserialize` function, a known dangerous function, and taint analysis revealing three high-severity unsanitized flows indicate potential for critical vulnerabilities if not handled with extreme care.

The plugin's vulnerability history, with 8 total known CVEs and a recent one in May 2025, highlights a recurring pattern of security weaknesses. The common types of vulnerabilities (Missing Authorization, XSS, CSRF, SQL Injection) directly correlate with the findings in the static analysis, particularly the unprotected AJAX handlers and the potential for unsanitized input. Although there are currently no unpatched CVEs, the history suggests a consistent need for diligent security patching and code review.

In conclusion, while 'pretty-link' shows strengths in its data handling and output sanitization, the large number of unprotected entry points, the presence of dangerous functions, and the historical trend of vulnerabilities necessitate caution. The high-severity taint flows and the significant number of unprotected AJAX handlers are the most immediate concerns that require remediation.

Key Concerns

  • AJAX handlers without auth checks
  • High severity taint flows found
  • Use of dangerous function: unserialize
  • Multiple high severity CVEs in history
  • Recent vulnerability found
Vulnerabilities
8

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2011
2011
1 CVE in 2014
2014
1 CVE in 2015
2015
1 CVE in 2019
2019
1 CVE in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
5

8 total CVEs

CVE-2025-48247medium · 4.3Missing Authorization

Shortlinks by Pretty Links <= 3.6.15 - Missing Authorization

May 19, 2025 Patched in 3.6.16 (10d)
CVE-2024-29770medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortlinks by Pretty Links <= 3.6.2 - Reflected Cross-Site Scripting via post_status

Mar 25, 2024 Patched in 3.6.3 (3d)
CVE-2024-2326medium · 4.3Cross-Site Request Forgery (CSRF)

Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin <= 3.6.3 - Cross-Site Request Forgery to Plugin Settings Update

Mar 22, 2024 Patched in 3.6.4 (1d)
CVE-2022-47149medium · 4.3Cross-Site Request Forgery (CSRF)

Shortlinks by Pretty Links <= 3.4.0 - Cross-Site Request Forgery via route

Apr 13, 2023 Patched in 3.4.1 (285d)
CVE-2019-25147high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pretty Links <= 2.1.9 - Unauthenticated Stored Cross-Site Scripting via track_link

Jun 19, 2019 Patched in 2.1.10 (1679d)
CVE-2015-9457high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Pretty Links – Link Management, Branding, Tracking & Sharing Plugin <= 1.6.7 - SQL Injection

Jul 8, 2015 Patched in 1.6.8 (3121d)
CVE-2013-1636high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pretty Links Lite < 1.6.3 - Stored Cross-Site Scripting

Aug 1, 2014 Patched in 1.6.3 (3462d)
CVE-2011-4595medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pretty Links – Link Management, Branding, Tracking & Sharing Plugin < 1.5.6 - Reflected Cross-Site Scripting

Dec 4, 2011 Patched in 1.5.6 (4433d)
Code Analysis
Analyzed Mar 16, 2026

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Code Analysis

Dangerous Functions
1
Raw SQL Queries
8
148 prepared
Unescaped Output
67
981 escaped
Nonce Checks
44
Capability Checks
29
File Operations
2
External Requests
12
Bundled Libraries
2

Dangerous Functions Found

unserialize$prli_options = unserialize($prli_options);app\models\PrliOptions.php:378

Bundled Libraries

TinyMCESelect2

SQL Query Safety

95% prepared156 total queries

Output Escaping

94% escaped1048 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

23 flows7 with unsanitized paths
process_connect (app\controllers\PrliAuthenticatorController.php:74)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
20 unprotected

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Attack Surface

Entry Points49
Unprotected20

AJAX Handlers 49

authwp_ajax_prli_addon_activateapp\controllers\PrliAddonsController.php:9
authwp_ajax_prli_addon_deactivateapp\controllers\PrliAddonsController.php:10
authwp_ajax_prli_addon_installapp\controllers\PrliAddonsController.php:11
authwp_ajax_pl_dismiss_upgrade_headerapp\controllers\PrliAppController.php:51
authwp_ajax_prli_dismiss_noticeapp\controllers\PrliAppController.php:52
authwp_ajax_prli_dismiss_daily_noticeapp\controllers\PrliAppController.php:53
authwp_ajax_prli_dismiss_monthly_noticeapp\controllers\PrliAppController.php:54
authwp_ajax_validate_pretty_linkapp\controllers\PrliLinksController.php:17
authwp_ajax_reset_pretty_linkapp\controllers\PrliLinksController.php:18
authwp_ajax_prli_quick_createapp\controllers\PrliLinksController.php:19
authwp_ajax_prli_links_list_save_bulk_editapp\controllers\PrliLinksController.php:46
authwp_ajax_prli_onboarding_save_featuresapp\controllers\PrliOnboardingController.php:9
authwp_ajax_prli_onboarding_save_new_linkapp\controllers\PrliOnboardingController.php:10
authwp_ajax_prli_onboarding_save_new_categoryapp\controllers\PrliOnboardingController.php:11
authwp_ajax_prli_onboarding_get_categoryapp\controllers\PrliOnboardingController.php:12
authwp_ajax_prli_onboarding_set_contentapp\controllers\PrliOnboardingController.php:13
authwp_ajax_prli_onboarding_unset_contentapp\controllers\PrliOnboardingController.php:14
authwp_ajax_prli_onboarding_import_linksapp\controllers\PrliOnboardingController.php:15
authwp_ajax_prli_onboarding_mark_content_steps_skippedapp\controllers\PrliOnboardingController.php:16
authwp_ajax_prli_onboarding_mark_steps_completeapp\controllers\PrliOnboardingController.php:17
authwp_ajax_prli_onboarding_unset_categoryapp\controllers\PrliOnboardingController.php:18
authwp_ajax_prli_onboarding_install_correct_editionapp\controllers\PrliOnboardingController.php:19
authwp_ajax_prli_onboarding_install_addonsapp\controllers\PrliOnboardingController.php:20
authwp_ajax_prli_onboarding_load_complete_stepapp\controllers\PrliOnboardingController.php:21
authwp_ajax_prli_onboarding_load_create_new_contentapp\controllers\PrliOnboardingController.php:22
authwp_ajax_prli_onboarding_load_link_step_contentapp\controllers\PrliOnboardingController.php:23
authwp_ajax_prli_onboarding_re_render_links_listapp\controllers\PrliOnboardingController.php:24
authwp_ajax_prli_onboarding_load_finish_stepapp\controllers\PrliOnboardingController.php:25
authwp_ajax_prli_onboarding_finishapp\controllers\PrliOnboardingController.php:26
authwp_ajax_prli_stop_popupapp\controllers\PrliPopupController.php:39
authwp_ajax_prli_delay_popupapp\controllers\PrliPopupController.php:40
authwp_ajax_prli_tinymce_formapp\controllers\PrliPostsController.php:10
authwp_ajax_prli_tinymce_validate_slugapp\controllers\PrliPostsController.php:11
authwp_ajax_prli_create_pretty_linkapp\controllers\PrliPostsController.php:12
authwp_ajax_prli_search_for_linksapp\controllers\PrliPostsController.php:13
authwp_ajax_pl_dismiss_review_promptapp\controllers\PrliReviewNoticeController.php:10
authwp_ajax_prli_stripe_connect_update_credsapp\controllers\PrliStripeConnectController.php:21
authwp_ajax_prli_stripe_connect_refreshapp\controllers\PrliStripeConnectController.php:22
authwp_ajax_prli_stripe_connect_disconnectapp\controllers\PrliStripeConnectController.php:23
authwp_ajax_prli_search_stripe_pricesapp\controllers\PrliStripeController.php:14
authwp_ajax_prli_stripe_add_productapp\controllers\PrliStripeController.php:15
authwp_ajax_prli_dismiss_customer_portal_noticeapp\controllers\PrliStripeController.php:22
authwp_ajax_plp_edge_updatesapp\controllers\PrliUpdateController.php:21
authwp_ajax_prli_activate_licenseapp\controllers\PrliUpdateController.php:28
authwp_ajax_prli_deactivate_licenseapp\controllers\PrliUpdateController.php:29
authwp_ajax_prli_install_license_editionapp\controllers\PrliUpdateController.php:30
authwp_ajax_mosh_addon_activatevendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:28
authwp_ajax_mosh_addon_deactivatevendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:29
authwp_ajax_mosh_addon_installvendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:30
WordPress Hooks 101
actionadmin_enqueue_scriptsapp\controllers\PrliAddonsController.php:7
actionin_admin_headerapp\controllers\PrliAddonsController.php:8
actioninitapp\controllers\PrliAppController.php:24
actionadmin_enqueue_scriptsapp\controllers\PrliAppController.php:25
actionadmin_menuapp\controllers\PrliAppController.php:26
filtercustom_menu_orderapp\controllers\PrliAppController.php:28
filtermenu_orderapp\controllers\PrliAppController.php:29
filtermenu_orderapp\controllers\PrliAppController.php:30
filterdisplay_post_statesapp\controllers\PrliAppController.php:31
actioninitapp\controllers\PrliAppController.php:35
actionwp_dashboard_setupapp\controllers\PrliAppController.php:39
actionafter_plugin_rowapp\controllers\PrliAppController.php:41
actionadmin_noticesapp\controllers\PrliAppController.php:42
actioninitapp\controllers\PrliAppController.php:45
actionin_admin_headerapp\controllers\PrliAppController.php:49
filteradmin_footer_textapp\controllers\PrliAppController.php:57
actionin_admin_footerapp\controllers\PrliAppController.php:58
actioninitapp\controllers\PrliAuthenticatorController.php:16
actioninitapp\controllers\PrliAuthenticatorController.php:17
actionadmin_initapp\controllers\PrliAuthenticatorController.php:18
actioninitapp\controllers\PrliClicksController.php:12
actionadmin_initapp\controllers\PrliClicksController.php:13
actionadmin_footerapp\controllers\PrliFlyoutMenuController.php:9
actionadmin_enqueue_scriptsapp\controllers\PrliGrowthToolsController.php:7
actioninitapp\controllers\PrliLinksController.php:5
filtercron_schedulesapp\controllers\PrliLinksController.php:6
actionprli_cleanup_visitor_locks_workerapp\controllers\PrliLinksController.php:7
actionadmin_initapp\controllers\PrliLinksController.php:8
actionpre_get_postsapp\controllers\PrliLinksController.php:9
actionsave_postapp\controllers\PrliLinksController.php:10
actiondeleted_postapp\controllers\PrliLinksController.php:11
actiontransition_post_statusapp\controllers\PrliLinksController.php:12
actiontransition_post_statusapp\controllers\PrliLinksController.php:13
filterredirect_post_locationapp\controllers\PrliLinksController.php:14
actionadmin_noticesapp\controllers\PrliLinksController.php:15
actionadmin_noticesapp\controllers\PrliLinksController.php:16
filterposts_searchapp\controllers\PrliLinksController.php:22
filterposts_whereapp\controllers\PrliLinksController.php:25
filterposts_fieldsapp\controllers\PrliLinksController.php:26
filterposts_joinapp\controllers\PrliLinksController.php:27
actionrestrict_manage_postsapp\controllers\PrliLinksController.php:30
filterposts_whereapp\controllers\PrliLinksController.php:31
actionposts_orderbyapp\controllers\PrliLinksController.php:37
filterdefault_hidden_columnsapp\controllers\PrliLinksController.php:42
actionquick_edit_custom_boxapp\controllers\PrliLinksController.php:43
actionbulk_edit_custom_boxapp\controllers\PrliLinksController.php:44
actionsave_postapp\controllers\PrliLinksController.php:45
filteradmin_body_classapp\controllers\PrliLinksController.php:47
filterpost_row_actionsapp\controllers\PrliLinksController.php:48
filteradmin_urlapp\controllers\PrliLinksController.php:55
filtersubmenu_fileapp\controllers\PrliLinksController.php:56
actioncurrent_screenapp\controllers\PrliLinksController.php:57
filteracf/input/meta_box_priorityapp\controllers\PrliLinksController.php:59
filtersubmenu_fileapp\controllers\PrliOnboardingController.php:6
actionadmin_enqueue_scriptsapp\controllers\PrliOnboardingController.php:7
actionadmin_noticesapp\controllers\PrliOnboardingController.php:8
actionprli_license_activatedapp\controllers\PrliOnboardingController.php:27
actionprli_license_deactivatedapp\controllers\PrliOnboardingController.php:28
actionadmin_menuapp\controllers\PrliOnboardingController.php:29
actionload-admin_page_pretty-link-onboardingapp\controllers\PrliOnboardingController.php:30
actionadmin_noticesapp\controllers\PrliOnboardingController.php:31
filtermonsterinsights_shareasale_idapp\controllers\PrliOnboardingController.php:32
actionactivated_pluginapp\controllers\PrliOnboardingController.php:33
actionadmin_enqueue_scriptsapp\controllers\PrliPopupController.php:38
actionadmin_noticesapp\controllers\PrliPopupController.php:41
actioninitapp\controllers\PrliPostsController.php:8
actionadd_meta_boxesapp\controllers\PrliPostsController.php:9
filtermce_external_pluginsapp\controllers\PrliPostsController.php:37
filtermce_buttonsapp\controllers\PrliPostsController.php:38
actionadmin_noticesapp\controllers\PrliReviewNoticeController.php:9
actionadmin_initapp\controllers\PrliStripeConnectController.php:17
actionadmin_noticesapp\controllers\PrliStripeConnectController.php:18
actionupdate_option_homeapp\controllers\PrliStripeConnectController.php:19
actionupdate_option_siteurlapp\controllers\PrliStripeConnectController.php:20
actionprli_link_form_after_slug_rowapp\controllers\PrliStripeController.php:8
filterprli_setup_new_varsapp\controllers\PrliStripeController.php:9
filterprli_setup_edit_varsapp\controllers\PrliStripeController.php:10
filterprli_validate_linkapp\controllers\PrliStripeController.php:11
actionprli_update_linkapp\controllers\PrliStripeController.php:12
actionprli_prettypay_link_stripe_redirectapp\controllers\PrliStripeController.php:13
actionwp_enqueue_scriptsapp\controllers\PrliStripeController.php:16
filterthe_contentapp\controllers\PrliStripeController.php:17
actionadmin_footerapp\controllers\PrliStripeController.php:18
actionparse_requestapp\controllers\PrliStripeController.php:19
actionprli-store-optionsapp\controllers\PrliStripeController.php:20
actionprli-options-messageapp\controllers\PrliStripeController.php:21
actioninitapp\controllers\PrliToolsController.php:6
filterpre_set_site_transient_update_pluginsapp\controllers\PrliUpdateController.php:19
actionadmin_initapp\controllers\PrliUpdateController.php:20
filterplugins_apiapp\controllers\PrliUpdateController.php:22
actionadmin_noticesapp\controllers\PrliUpdateController.php:25
actionadmin_initapp\controllers\PrliUpdateController.php:26
actionadmin_enqueue_scriptsapp\controllers\PrliUpdateController.php:27
actionin_plugin_update_message-pretty-link/pretty-link.phpapp\controllers\PrliUpdateController.php:31
actionprli_plugin_edition_changedapp\controllers\PrliUpdateController.php:32
actionadmin_noticesapp\controllers\PrliUpdateController.php:354
filterxmlrpc_methodsapp\controllers\PrliXmlRpcController.php:12
actionplugins_loadedpretty-link.php:175
actionafter_setup_themepretty-link.php:219
filtersite_transient_update_pluginsvendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:31
actionadmin_menuvendor-prefixed\caseproof\growth-tools\src\App.php:47

Scheduled Events 1

prli_cleanup_visitor_locks_worker
Maintenance & Trust

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 21, 2026
PHP min version7.4
Downloads9.2M

Community Trust

Rating96/100
Number of ratings1,305
Active installs300K
Alternatives

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Alternatives

SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments

SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments

surecart

A
99

Make ecommerce easy with a simple to use, all-in-one platform, that anyone can set up in just a few minutes!

90K 2 CVEs
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

B
75

The #1 eCommerce plugin to sell digital products & subscriptions. Accept credit card payments with Stripe & PayPal and start your store today.

40K 39 CVEs
Contact Form 7 – PayPal & Stripe Add-on

Contact Form 7 – PayPal & Stripe Add-on

contact-form-7-paypal-add-on

A
96

Easily add PayPal and Stripe to Contact Form 7. Accept credit card payments with Stripe & PayPal on your site today. Offical PayPal & Stripe Partner.

8K 5 CVEs
WP Stripe Checkout

WP Stripe Checkout

wp-stripe-checkout

A
97

Accept Stripe payments in WordPress without creating any product. Perfect for donations, services, or selling anything. No coding required.

1K 3 CVEs
Buy Now Plus — Payments with Stripe

Buy Now Plus — Payments with Stripe

buy-now-plus

A
99

A cloud-backed plugin that lets you securely accept Credit Card payments on your site using Stripe without needing to install an SSL certificate.

20 1 CVE
Developer Profile

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin Developer Profile

Blair Williams

4 plugins · 630K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
1044 days
View full developer profile
Detection Fingerprints

How We Detect PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pretty-link/css/prli-admin.css/wp-content/plugins/pretty-link/css/pretty-link-main.css/wp-content/plugins/pretty-link/css/pretty-link-bootstrap.css/wp-content/plugins/pretty-link/css/pretty-link-vendors.css/wp-content/plugins/pretty-link/js/pretty-link-vendors.js/wp-content/plugins/pretty-link/js/pretty-link-main.js/wp-content/plugins/pretty-link/js/pretty-link-admin.js/wp-content/plugins/pretty-link/js/pretty-link-vue.js+1 more
Script Paths
/wp-content/plugins/pretty-link/js/pretty-link-vendors.js/wp-content/plugins/pretty-link/js/pretty-link-main.js/wp-content/plugins/pretty-link/js/pretty-link-admin.js/wp-content/plugins/pretty-link/js/pretty-link-vue.js
Version Parameters
pretty-link/css/prli-admin.css?ver=pretty-link/css/pretty-link-main.css?ver=pretty-link/css/pretty-link-bootstrap.css?ver=pretty-link/css/pretty-link-vendors.css?ver=pretty-link/js/pretty-link-vendors.js?ver=pretty-link/js/pretty-link-main.js?ver=pretty-link/js/pretty-link-admin.js?ver=pretty-link/js/pretty-link-vue.js?ver=

HTML / DOM Fingerprints

CSS Classes
pretty-link-admin-wrappretty-link-edit-link-sectionpretty-link-link-target-editor
HTML Comments
<!-- Pretty Links Activated -->
Data Attributes
data-pl-link-iddata-pl-link-slugdata-pl-link-targetdata-pl-group-id
JS Globals
PrliLinksPrliLinkMetaPrliUtilsPrettyLinkApiSettingsprettyLinkVueApp
REST Endpoints
/wp-json/pretty-link/v1/links/wp-json/pretty-link/v1/groups
Shortcode Output
[pretty_link id="
FAQ

Frequently Asked Questions about PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin