CVE-2026-1277
Received Received - Intake
Open Redirect Vulnerability in WordPress URL Shortify Plugin

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1277
EUVD
EUVD-2026-7923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kaizencoders url_shortify to 1.12.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The URL Shortify plugin for WordPress has a vulnerability known as an Open Redirect in all versions up to and including 1.12.1. This occurs because the plugin does not properly validate the 'redirect_to' parameter in its promotional dismissal handler. As a result, an unauthenticated attacker can craft a link that redirects users to potentially malicious websites.

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect your users to malicious sites without their consent. Since the redirect can be triggered by a crafted link, users might be tricked into visiting harmful websites that could lead to phishing, malware infections, or other security risks. The vulnerability requires no authentication, increasing the risk of exploitation.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves an open redirect via the 'redirect_to' parameter in the URL Shortify WordPress plugin's promotional dismissal handler. Detection would involve monitoring HTTP requests to the WordPress admin area that include parameters like 'kc_us_dismiss_admin_notice=1' and a crafted 'redirect_to' URL.

You can detect attempts by inspecting web server logs or using network monitoring tools to identify requests containing suspicious 'redirect_to' parameters that point to external or malicious URLs.

Example commands to detect such attempts include:

  • Using grep on web server logs to find suspicious redirect_to parameters: grep -i 'redirect_to=' /var/log/apache2/access.log
  • Using curl to test if the redirect_to parameter causes an open redirect: curl -I 'https://yourwordpresssite.com/wp-admin/admin.php?kc_us_dismiss_admin_notice=1&redirect_to=http://malicious.example.com'
  • Using a web proxy or interception tool (e.g., Burp Suite) to capture and analyze requests with the 'redirect_to' parameter.
Mitigation Strategies

To mitigate this vulnerability, immediately update the URL Shortify plugin to a version later than 1.12.1 where the issue is fixed.

If an update is not immediately possible, consider temporarily disabling the URL Shortify plugin to prevent exploitation.

Additionally, implement web application firewall (WAF) rules to block requests containing suspicious 'redirect_to' parameters that redirect to external domains.

Monitor your logs for exploitation attempts and inform users to avoid clicking on suspicious links that may exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart