WordPress Plugin Vulnerabilities

URL Shortify < 1.12.2 - Unauthenticated Open Redirect via 'redirect_to' Parameter

Description

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.

Affects Plugins

Plugin icon
url-shortify
Fixed in 1.12.2

References

CVE
CVE-2026-1277
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c1dc51-47ca-4b2f-9ff9-275bd8b1c106

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Tarcísio Luchesi De Almeida Silva (Poystick)
Verified
No
WPVDB ID
5180bf88-4440-4872-bdfd-87cf8394afb8

Timeline

Publicly Published
2026-02-17 (about 4 months ago)
Added
2026-02-17 (about 4 months ago)
Last Updated
2026-02-18 (about 4 months ago)

Other

Published
Title
Published
2024-10-24
Title
Sunshine Photo Cart < 3.2.11 - Open Redirect
Published
2023-07-19
Title
T1 theme <= 19.0 - Open Redirect
Published
2025-04-16
Title
Listdom < 4.1.0 - Open Redirect
Published
2018-01-01
Title
furikake - Unauthenticated Open Redirect
Published
2021-06-01
Title
MC4WP: Mailchimp for WordPress < 4.8.5 - Authenticated Arbitrary Redirect