The Bitly URL Shortener plugin contains a CSRF vulnerability that enables an attacker to submit requests on behalf of a logged‑in user. The flaw arises from insufficient verification of request authenticity for shortener actions. Based on the description, it is inferred that this could allow an attacker to create or manipulate short URLs under the victim’s account without the user’s knowledge, potentially exposing sensitive links or redirecting traffic to malicious destinations. The weakness is identified as CWE‑352.

The vulnerability affects Codehaveli Bitly URL Shortener plugins of versions n/a through 1.4.1. Any WordPress site that installs this plugin and has a version older than or equal to 1.4.1 is susceptible.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in CISA’s KEV catalog. Because CSRF attacks typically require the victim to be authenticated to the target site, the primary attack vector is likely a web browser session with the user’s credentials. The risk is therefore confined to users who are logged into the WordPress administration interface and who might be tricked into visiting a malicious page that triggers the shortener request.