WP-Safety

URL Shortify – Simple and Easy URL Shortener Security & Risk Analysis

wordpress.org/plugins/url-shortify

URL Shortify helps you beautify, manage, share & cloak any links on or off your WordPress website. Create links using your domain name!

10K active installs v2.1 PHP 5.6+ WP 5.0.0+ Updated Mar 11, 2026
affiliate-linkscloakinglink-brandingshort-linksurl-shortener
92
A · Safe
CVEs total9
Unpatched0
Last CVEFeb 19, 2026
Plugin page Download
Safety Verdict

Is URL Shortify – Simple and Easy URL Shortener Safe to Use in 2026?

Generally Safe

Score 92/100

URL Shortify – Simple and Easy URL Shortener has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Feb 19, 2026Updated 23d ago
Risk Assessment

The URL Shortify plugin, despite having a seemingly robust entry point count with all protected via authentication checks, exhibits several areas of concern based on its static analysis and vulnerability history. While the presence of a significant number of nonce and capability checks, along with a majority of SQL queries using prepared statements, are positive indicators, the plugin's history of nine known CVEs, including one high-severity vulnerability, is a significant red flag. This history suggests a pattern of past security weaknesses that could potentially resurface. The taint analysis, while not reporting critical or high severity issues, did identify two flows with unsanitized paths, indicating a potential for subtle vulnerabilities that might not be immediately obvious. Furthermore, the statistic of only 65% of output being properly escaped suggests a risk of cross-site scripting vulnerabilities if user-provided data is not handled with extreme care in the remaining 35% of outputs.

The plugin's vulnerability history is particularly concerning. A total of nine CVEs, with common types including SSRF, Open Redirect, XSS, and CSRF, points to a recurring struggle with fundamental web security principles. The fact that the last vulnerability was dated in 2026 (presumably a typo and intended to be in the past) and there are currently no unpatched vulnerabilities is a slight positive, but the sheer number of past issues cannot be ignored. The bundled Freemius library, while not explicitly flagged as outdated in the provided data, is another potential vector if it itself has known vulnerabilities. Overall, while efforts have been made to secure entry points and database interactions, the plugin's past behavior and some static analysis findings warrant caution.

Key Concerns

  • High number of known CVEs (9 total)
  • 1 High severity known CVE
  • 2 Taint flows with unsanitized paths
  • Only 65% of outputs properly escaped
  • Bundled Freemius v1.0 library
Vulnerabilities
9

URL Shortify – Simple and Easy URL Shortener Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
3 CVEs in 2023
2023
3 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
8

9 total CVEs

CVE-2026-25385medium · 6.4Server-Side Request Forgery (SSRF)

URL Shortify <= 1.12.3 - Authenticated (Author+) Server-Side Request Forgery

Feb 19, 2026 Patched in 1.12.4 (7d)
CVE-2026-1277medium · 4.7URL Redirection to Untrusted Site ('Open Redirect')

URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter

Feb 17, 2026 Patched in 1.12.2 (1d)
CVE-2025-13355medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

URL Shortify <= 1.11.3 - Reflected Cross-Site Scripting

Nov 24, 2025 Patched in 1.11.4 (26d)
CVE-2025-12684medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

URL Shortify <= 1.11.2 - Reflected Cross-Site Scripting

Nov 24, 2025 Patched in 1.11.3 (26d)
CVE-2025-32134medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

URL Shortify <= 1.10.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 4, 2025 Patched in 1.10.6 (56d)
CVE-2023-5605medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

URL Shortify <= 1.7.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 16, 2023 Patched in 1.7.9.1 (68d)
CVE-2023-4294high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

URL Shortify <= 1.7.5 - Unauthenticated Stored Cross-Site Scripting via Referrer Header

Aug 21, 2023 Patched in 1.7.6 (155d)
CVE-2023-3129medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress <= 1.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 19, 2023 Patched in 1.7.0 (218d)
CVE-2021-24749medium · 4.3Cross-Site Request Forgery (CSRF)

URL Shortify <= 1.5.0 - Cross-Site Request Forgery

Oct 28, 2021 Patched in 1.5.1 (817d)
Code Analysis
Analyzed Mar 16, 2026

URL Shortify – Simple and Easy URL Shortener Code Analysis

Dangerous Functions
0
Raw SQL Queries
33
81 prepared
Unescaped Output
205
378 escaped
Nonce Checks
45
Capability Checks
8
File Operations
5
External Requests
3
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

71% prepared114 total queries

Output Escaping

65% escaped583 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
dismiss_promotions (lite\includes\Promo.php:53)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

URL Shortify – Simple and Easy URL Shortener Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 4

authwp_ajax_us_handle_requestlite\includes\Ajax.php:35
noprivwp_ajax_us_handle_requestlite\includes\Ajax.php:36
authwp_ajax_url_shortify_manage_pluginlite\includes\Ajax.php:37
authwp_ajax_kc_us_email_testlite\includes\EmailReports\Init.php:16

REST API Routes 1

GET/wp-json/url-shortify/v1/email-digest/testlite\includes\EmailReports\Init.php:223
WordPress Hooks 75
filterwpsf_register_settings_kc_uslite\includes\Admin\admin-settings.php:26
filterkc_us_settings_validatelite\includes\Admin\admin-settings.php:27
actionadmin_menulite\includes\Admin\Settings.php:29
filterwpsf_register_settings_kc_us_toolslite\includes\Admin\tools-settings.php:25
actionadmin_menulite\includes\Admin\Tools.php:27
filterdetermine_current_userlite\includes\API\Authentication.php:44
filterrest_authentication_errorslite\includes\API\Authentication.php:45
filterrest_post_dispatchlite\includes\API\Authentication.php:46
filterrest_pre_dispatchlite\includes\API\Authentication.php:47
actionrest_api_initlite\includes\API\Init.php:27
filterrest_allowed_cors_headerslite\includes\API\Init.php:42
filterrest_pre_serve_requestlite\includes\API\Init.php:45
actionrest_api_initlite\includes\API\V1\GroupsRestController.php:33
actionrest_api_initlite\includes\API\V1\LinksRestController.php:34
actionadd_meta_boxeslite\includes\Common\Actions.php:32
actionkc_us_link_deletedlite\includes\Common\Actions.php:35
actionkc_us_link_deletedlite\includes\Common\Actions.php:36
actionkc_us_group_deletedlite\includes\Common\Actions.php:38
actionsave_postlite\includes\Common\Actions.php:41
actiondelete_postlite\includes\Common\Actions.php:44
filtermanage_pages_columnslite\includes\Common\Actions.php:46
filtermanage_posts_columnslite\includes\Common\Actions.php:47
filteredd_download_columnslite\includes\Common\Actions.php:48
actionmanage_posts_custom_columnlite\includes\Common\Actions.php:50
actionmanage_pages_custom_columnlite\includes\Common\Actions.php:51
filterkc_us_cpt_short_linklite\includes\Common\Actions.php:67
filterheateor_ss_target_share_url_filterlite\includes\Common\Actions.php:80
filterheateor_sss_target_share_url_filterlite\includes\Common\Actions.php:93
actionkc_us_link_createdlite\includes\Common\Actions.php:126
actionkc_us_link_updatedlite\includes\Common\Actions.php:127
actionkc_us_link_deletedlite\includes\Common\Actions.php:128
actionkc_us_group_createdlite\includes\Common\Actions.php:130
actionkc_us_group_updatedlite\includes\Common\Actions.php:131
actionkc_us_group_deletedlite\includes\Common\Actions.php:132
filterkc_us_filter_links_actionslite\includes\Common\Actions.php:134
actionkc_us_link_savedlite\includes\Common\Actions.php:136
actionkc_us_links_deletedlite\includes\Common\Actions.php:137
filterget_shortlinklite\includes\Common\Actions.php:155
filterkc_us_clicks_datalite\includes\Common\Actions.php:162
filterthe_contentlite\includes\Common\Actions.php:169
filterget_the_excerptlite\includes\Common\Actions.php:170
filterget_the_excerptlite\includes\Common\Actions.php:171
actionwp_headlite\includes\Common\Actions.php:172
actionregenerate_json_links_dailylite\includes\Cron.php:13
actionregenerate_json_linkslite\includes\Cron.php:14
filterwp_mail_content_typelite\includes\Email\Report.php:19
actioninitlite\includes\EmailReports\Init.php:12
actionadmin_post_kc_us_email_previewlite\includes\EmailReports\Init.php:14
actionrest_api_initlite\includes\EmailReports\Init.php:18
actionadmin_noticeslite\includes\Feedback.php:36
actioninitlite\includes\Frontend\Redirect.php:15
actionadmin_initlite\includes\Install.php:129
actionadmin_initlite\includes\Install.php:130
actionadmin_enqueue_scriptslite\includes\Plugin.php:148
actionadmin_enqueue_scriptslite\includes\Plugin.php:149
actionadmin_menulite\includes\Plugin.php:151
actionadmin_initlite\includes\Plugin.php:153
actionadmin_noticeslite\includes\Plugin.php:154
actioninitlite\includes\Plugin.php:156
actionwp_dashboard_setuplite\includes\Plugin.php:157
filterset-screen-optionlite\includes\Plugin.php:159
actionadmin_print_scriptslite\includes\Plugin.php:161
filteradmin_footer_textlite\includes\Plugin.php:162
actionin_plugin_update_message-url-shortify/url-shortify.phplite\includes\Plugin.php:163
actionwp_enqueue_scriptslite\includes\Plugin.php:178
actionwp_enqueue_scriptslite\includes\Plugin.php:179
actionadmin_initlite\includes\Promo.php:21
actionadmin_noticeslite\includes\Promo.php:22
actionadmin_initlite\includes\Settings.php:98
actionadmin_noticeslite\includes\Settings.php:106
actionadmin_enqueue_scriptslite\includes\Settings.php:108
actionafter_uninstalllite\includes\Uninstall.php:14
filterplugin_iconurl-shortify.php:97
actionadmin_noticesurl-shortify.php:124
actionplugins_loadedurl-shortify.php:230

Scheduled Events 2

regenerate_json_links_daily
regenerate_json_links
Maintenance & Trust

URL Shortify – Simple and Easy URL Shortener Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version5.6
Downloads535K

Community Trust

Rating92/100
Number of ratings155
Active installs10K
Alternatives

URL Shortify – Simple and Easy URL Shortener Alternatives

BetterLinks – URL Shortener, Link Tracking, Analytics & Affiliate Link Manager

BetterLinks – URL Shortener, Link Tracking, Analytics & Affiliate Link Manager

betterlinks

A
98

Ultimate plugin to create, shorten, track and manage any URL. Gather analytics reports and run successful marketing campaigns easily.

20K 3 CVEs
CleanLinks

CleanLinks

cleanlinks

A
100

Create branded short links, manage redirects, cloak affiliate URLs, and export links via CSV – all from your WordPress dashboard.

0 No CVEs
LinkCentral – URL shortener, Custom Links & Affiliate Link Shortener with Link Tracking

LinkCentral – URL shortener, Custom Links & Affiliate Link Shortener with Link Tracking

linkcentral

A
100

The easiest URL shortener, short links manager, and link tracking plugin. Fast and optimised for better short links, redirects and affiliate links.

300 No CVEs
ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing

ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing

shortlinkspro

A
99

Shorten, track, manage and share any URL using your own domain name!

100 1 CVE
LinkFiliate – Advanced Affiliate Link Management, Branded Short Links, Click Tracking & Analytics

LinkFiliate – Advanced Affiliate Link Management, Branded Short Links, Click Tracking & Analytics

linkfiliate

A
100

Create pretty branded URLs, cloak affiliate links, and track clicks in real time — giving you better control of all your marketing links in WordPress.

10 No CVEs
Developer Profile

URL Shortify – Simple and Easy URL Shortener Developer Profile

KaizenCoders

14 plugins · 31K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
153 days
View full developer profile
Detection Fingerprints

How We Detect URL Shortify – Simple and Easy URL Shortener

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/url-shortify/lite/dist/styles/app.css/wp-content/plugins/url-shortify/lite/scripts/app.js

HTML / DOM Fingerprints

CSS Classes
kc-us-admin-noticekc-us-wrapkc-us-dashboard-wrapperkc-us-tools-wrapkc-us-dashboard-wrapkc-us-tool-card
HTML Comments
URL ShortifyURL Shortify helps you beautify, manage, share & cloak any links on or off of your WordPress website. Create links that look how you want using your own domain name!URL Shortify requires PHP version %s+, plugin is currently NOT RUNNING.
Data Attributes
data-url-shortify
JS Globals
kc_us_paramsurlShortify
REST Endpoints
/wp-json/url-shortify/v1/links/wp-json/url-shortify/v1/settings
Shortcode Output
[url_shortify_link][url_shortify_tracker]
FAQ

Frequently Asked Questions about URL Shortify – Simple and Easy URL Shortener