Let me explain why this is clickbait.
But first, let me clarify some terminology. “Auto-fill” is a process of directly transferring credentials from the browser extension into a web form without using the system clipboard (i.e., by copy & paste). Auto-fill can be either automatic (in Bitwarden, this is called “auto-fill on page load”), or on-demand (in Bitwarden, on-demand auto-fill can be triggered using the Ctrl+Shift+L shortcut, or by clicking a login item shown in the Tab view of the browser extension, or by going through the right-click context menu).
The PCWorld article linked by OP opens by recommending that Bitwarden users should avoid auto-fill altogether (i.e., both on-demand and automatic auto-fill — which the article author refers to as “preemptive” auto-fill, for some reason). This is unequivocally bad advice, because it opens up users to phishing attacks, as well as leaks/theft of credentials via the system clipboard (the contents of which can be read by any process on your device). There is a lot of other misinformation in the PCWorld article, as explained in the Reddit discussion that I had linked above. Particularly egregious is the fact that PCWorld is using this article to promote Dashlane as their “best” “editor’s choice”, when Dashlane has automatic autofill enabled by default, which Bitwarden does not (although the article never admits this, and even falsely implies that the opposite is true). This article is so poorly written, that it is not worth anybody’s while to pay attention to it.
Turning our attention to real issues, yes, it is true that there are some risks inherent in the use of auto-fill, especially automatic auto-filling. However, these risks are not unique to Bitwarden, and they are not exactly breaking news — they have been known for decades. The most insidious vulnerability is the ability to harvest auto-filled credentials from invisible form fields. The most likely vector of such an attack is script injection by XSS. Another, less likely approach that could have the same results is the use of iframes with a third-party source. All of this is well-known (and in fact, Bitwarden patched an iframe-related vulnerability last year), but the recent Flashpoint report claims credit for re-discovering the iframe mechanism. And now, all sorts of disreputable publishers are seizing on this report as a way of driving click-traffic and promoting competitor products (that all suffer from the same underlying vulnerabilities, whether or not they have implemented a band-aid solution for the iframe-mediated vector).
For a discussion of auto-fill issues away from the tabloid drama, I refer readers to this post of mine from some time ago: