Does Bitly's WordPress Plugin have any unpatched vulnerabilities?

Yes — Bitly's WordPress Plugin currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Bitly's WordPress Plugin compatible with WordPress 6.7.5?

According to WordPress.org data, Bitly's WordPress Plugin 2.8.1 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is Bitly's WordPress Plugin updated?

Bitly's WordPress Plugin was last updated on Mar 10, 2026. Frequent updates are generally a positive security signal.

What is Bitly's WordPress Plugin's security score?

Bitly's WordPress Plugin has a WP-Safety security score of 74/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Bitly's WordPress Plugin Security & Risk Analysis

wordpress.org/plugins/wp-bitly

Create short links to your content with Bitly’s WordPress Plugin.

2K active installs v2.8.1 PHP + WP 5.0+ Updated Mar 10, 2026

bitlycustom-domainshortenershortlinkurl

B · Generally Safe

CVEs total4

Unpatched1

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Bitly's WordPress Plugin Safe to Use in 2026?

Mostly Safe

Score 74/100

Bitly's WordPress Plugin is generally safe to use. 4 past CVEs were resolved. Keep it updated.

4 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 24d ago

Risk Assessment

The wp-bitly plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of SQL queries using prepared statements and a high percentage of output being properly escaped, alongside a robust number of nonce and capability checks. This suggests a development team with an awareness of common web security pitfalls.

However, significant concerns arise from the attack surface analysis. Three out of five AJAX handlers lack authentication checks, presenting a direct pathway for unauthorized actions if exploited. The taint analysis, while limited in scope, did identify one flow with unsanitized paths, which, though not classified as critical or high, warrants attention given the potential for unexpected behavior. The plugin's history of four known CVEs, including one currently unpatched medium severity vulnerability, and common patterns of Cross-site Scripting and Missing Authorization, is a strong indicator of recurring security weaknesses that have not been fully addressed.

In conclusion, while the plugin has some commendable security implementations, the presence of unprotected AJAX handlers, a history of vulnerabilities including an unpatched one, and identified taint flows paint a picture of moderate risk. The recurring nature of past vulnerabilities suggests a need for more rigorous security auditing and remediation processes to ensure long-term security.

Key Concerns

Unprotected AJAX handlers
Currently unpatched CVE
Medium severity CVE history (4 instances)
Flows with unsanitized paths
Missing Authorization vulnerability history
Cross-site Scripting vulnerability history

Vulnerabilities

Bitly's WordPress Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2025-58231medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bitly <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched

CVE-2024-12616medium · 4.3Missing Authorization

Bitly's WordPress Plugin <= 2.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Jan 8, 2025 Patched in 2.7.4 (100d)

CVE-2024-43209medium · 5.3Missing Authorization

Bitly's WordPress Plugin <= 2.7.2 - Missing Authorization

Aug 9, 2024 Patched in 2.7.3 (88d)

CVE-2023-5577medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bitly's WordPress Plugin <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Nov 6, 2023 Patched in 2.7.2 (205d)

Code Analysis

Analyzed Mar 16, 2026

Bitly's WordPress Plugin Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

69 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

85% escaped81 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths

<class-wp-bitly-settings> (includes\class-wp-bitly-settings.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Bitly's WordPress Plugin Attack Surface

Entry Points6

Unprotected3

AJAX Handlers 5

authwp_ajax_wpbitly_oauth_get_tokenincludes\class-wp-bitly-auth.php:50

authwp_ajax_wpbitly_oauth_disconnectincludes\class-wp-bitly-auth.php:51

authwp_ajax_get_domain_optionsincludes\class-wp-bitly.php:192

authwp_ajax_get_group_optionsincludes\class-wp-bitly.php:193

authwp_ajax_get_org_optionsincludes\class-wp-bitly.php:194

Shortcodes 1

[wpbitly] includes\class-wp-bitly-shortlink.php:199

WordPress Hooks 11

actionadmin_noticesadmin\class-wp-bitly-admin.php:209

actionadmin_noticesadmin\class-wp-bitly-admin.php:287

actionplugins_loadedincludes\class-wp-bitly.php:167

actionadmin_enqueue_scriptsincludes\class-wp-bitly.php:186

actionadmin_enqueue_scriptsincludes\class-wp-bitly.php:187

actioninitincludes\class-wp-bitly.php:189

actioninitincludes\class-wp-bitly.php:190

actionadmin_initincludes\class-wp-bitly.php:191

actionsave_postincludes\class-wp-bitly.php:197

actioninitincludes\class-wp-bitly.php:200

actionadmin_initincludes\class-wp-bitly.php:202

Maintenance & Trust

Bitly's WordPress Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 10, 2026

PHP min version

Downloads143K

Community Trust

Rating84/100

Number of ratings23

Active installs2K

Alternatives

Bitly's WordPress Plugin Alternatives

Bit.ly Shortlinks Multisite (Uses OAuth 2 API)

bitly-shortlinks-multisite

100

This plugin replaces the default WordPress shortlinks with Bit.ly shortlinks for your single site or multisite WordPress network.

10 No CVEs

Bitly URL Generator

bitly-url-generator

Automatically creates a bit.ly url for each of your posts when they get published.

10 No CVEs

Link Shortner

link-shortener

100

Link Shortner allows you to easily create clean, branded short permalink links for your posts custom URL.

900 No CVEs

Bitly URL Shortener

codehaveli-bitly-url-shortener

Bitly URL Shortener uses the functionality of Bitly API to generate Bitly short link without leaving your WordPress site.

600 1 CVE

Shorter Links

shorter-links

Override the default WordPress "shortlink" URL with one that has a custom text in it. You can also set a different base URL.

100 No CVEs

Developer Profile

Bitly's WordPress Plugin Developer Profile

bitlydeveloper

1 plugin · 2K total installs

trust score

Avg Security Score

74/100

Avg Patch Time

131 days

View full developer profile

Detection Fingerprints

How We Detect Bitly's WordPress Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-bitly/admin/css/wp-bitly-admin.css/wp-content/plugins/wp-bitly/admin/css/chartist/chartist.min.css/wp-content/plugins/wp-bitly/admin/js/wp-bitly-admin.js/wp-content/plugins/wp-bitly/admin/js/chartist/chartist.min.js

Script Paths

/wp-content/plugins/wp-bitly/admin/js/wp-bitly-admin.js/wp-content/plugins/wp-bitly/admin/js/chartist/chartist.min.js

Version Parameters

wp-bitly/admin/css/wp-bitly-admin.css?ver=wp-bitly/admin/css/chartist/chartist.min.css?ver=wp-bitly/admin/js/wp-bitly-admin.js?ver=wp-bitly/admin/js/chartist/chartist.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-bitly-setup-notice

Data Attributes

data-nonce

JS Globals

wpBitlyData

FAQ