CVE-2026-1277 PUBLISHED

URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter

Assigner: Wordfence
Reserved: 20.01.2026 Published: 18.02.2026 Updated: 18.02.2026

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CVSS Score: 4.7

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	kaizencoders
Product	URL Shortify – Simple and Easy URL Shortener
Versions	Default: unaffected affected from * to 1.12.1 (incl.)

CVE-2026-1277 PUBLISHED

URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter

Metrics

Product Status

Credits

References

Problem Types