The Bit.ly linker plugin contains an improper neutralization of user input that enables a reflected XSS flaw. Attackers can embed arbitrary scripts into URLs that, when processed by the plugin, are reflected back into the browser without proper escaping, allowing the execution of malicious JavaScript. This weaknesses falls under CWE‑79 and can compromise the confidentiality, integrity, and availability of the affected web site and its users through malicious scripts that harvest credentials or perform other malicious actions.

The vulnerability exists in the Bit.ly linker plugin for WordPress, affecting all installations of versions from the initial release up to and including 1.1. WordPress users who have installed or upgraded to Bit.ly linker 1.1 or earlier are impacted.

The CVSS score of 7.1 indicates a moderate‑to‑high severity. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. However, because reflected XSS can lead to session hijacking or data theft, the risk remains significant for sites that expose the plugin’s functionality to unauthenticated or untrusted users. The attack vector is likely through crafted URLs or input fields that the plugin processes, and the attacker needs only to lure a victim into visiting such a URL or interacting with the vulnerable page.