CVE-2026-1277

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/url-shortify/tags/1.11.4/lite/includes/Promo.php#L64
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3451740%40url-shortify&old=3445491%40url-shortify&sfp_email=&sfph_mail=#file1049
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c1dc51-47ca-4b2f-9ff9-275bd8b1c106?source=cve

Configurations

No configuration.

History

18 Feb 2026, 17:51

Type	Values Removed	Values Added
Summary		(es) El plugin URL Shortify para WordPress es vulnerable a redirección abierta en todas las versiones hasta la 1.12.1, inclusive, debido a una validación insuficiente en el parámetro 'redirect_to' en el manejador de descarte promocional. Esto permite que atacantes no autenticados redirijan a los usuarios a sitios potencialmente maliciosos a través de un enlace manipulado.

18 Feb 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-18 05:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1277

Mitre link : CVE-2026-1277

CVE.ORG link : CVE-2026-1277

JSON object : View

Products Affected

No product.

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

4.7 /10