{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1277", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T22:04:30.416Z", "datePublished": "2026-02-18T04:35:45.102Z", "dateUpdated": "2026-04-08T17:21:28.282Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:28.282Z"}, "affected": [{"vendor": "kaizencoders", "product": "URL Shortify \u2013 Simple and Easy URL Shortener", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link."}], "title": "URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c1dc51-47ca-4b2f-9ff9-275bd8b1c106?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/url-shortify/tags/1.11.4/lite/includes/Promo.php#L64"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3451740%40url-shortify&old=3445491%40url-shortify&sfp_email=&sfph_mail=#file1049"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "cweId": "CWE-601", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi De Almeida Silva"}], "timeline": [{"time": "2026-01-21T05:30:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T16:15:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:29:18.999659Z", "id": "CVE-2026-1277", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:29:25.642Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1277", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:29:18.999659Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:29:23.097Z"}}], "cna": {"title": "URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi De Almeida Silva"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "kaizencoders", "product": "URL Shortify \u2013 Simple and Easy URL Shortener", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.12.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-21T05:30:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T16:15:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c1dc51-47ca-4b2f-9ff9-275bd8b1c106?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/url-shortify/tags/1.11.4/lite/includes/Promo.php#L64"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3451740%40url-shortify&old=3445491%40url-shortify&sfp_email=&sfph_mail=#file1049"}], "descriptions": [{"lang": "en", "value": "The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:28.282Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1277", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:28.282Z", "dateReserved": "2026-01-20T22:04:30.416Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T04:35:45.102Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link."}, {"lang": "es", "value": "El plugin URL Shortify para WordPress es vulnerable a redirecci\u00f3n abierta en todas las versiones hasta la 1.12.1, inclusive, debido a una validaci\u00f3n insuficiente en el par\u00e1metro 'redirect_to' en el manejador de descarte promocional. Esto permite que atacantes no autenticados redirijan a los usuarios a sitios potencialmente maliciosos a trav\u00e9s de un enlace manipulado."}], "id": "CVE-2026-1277", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T05:16:24.960", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/url-shortify/tags/1.11.4/lite/includes/Promo.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3451740%40url-shortify&old=3445491%40url-shortify&sfp_email=&sfph_mail=#file1049"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c1dc51-47ca-4b2f-9ff9-275bd8b1c106?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "URL Shortify \u2013 Simple and Easy URL Shortener", "source": "cna", "vendor": "kaizencoders"}, "product": "url_shortify_\u2013_simple_and_easy_url_shortener", "vendor": "kaizencoders"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:19:48.466044+00:00", "value": {"mitigation_remediation": ["Upgrade the URL Shortify plugin to a version newer than 1.12.1 where the redirect_to parameter has been removed or validated.", "If an upgrade cannot be performed immediately, disable or remove the promotional dismissal functionality that uses the redirect_to parameter, or modify the plugin code to strip the parameter before use.", "Deploy a web application firewall rule that filters or sanitizes the redirect_to query string, blocking arbitrary redirects from untrusted sources."], "summary": {"action": "Patch plugin", "impact": "Open redirect enabling unauthenticated redirection to malicious sites"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed the Kaizencoders URL Shortify plugin with version 1.12.1 or earlier is affected. The plugin versioning is listed up to 1.12.1, and the vulnerability resides in core code handling promotional banner dismissal.", "description_and_impact": "The URL Shortify plugin for WordPress is vulnerable to an open redirect flaw present in all releases up to and including 1.12.1. The flaw stems from insufficient validation on the redirect_to parameter used in the promotional dismissal handler, allowing an attacker to craft a link that will cause any user who clicks it to be redirected to an arbitrary URL, which can be leveraged for phishing, drive\u2011by downloads, or other malicious activities. The vulnerability does not provide code execution or data exfiltration, but it can be used as a vector for social engineering attacks or to siphon traffic to attacker-controlled sites.", "risk_and_exploitability": "The CVSS base score of 4.7 indicates a moderate severity, while the EPSS score of less than 1\u202f% suggests a low likelihood of mass exploitation for the time being. It is not referenced in CISA\u2019s Known Exploited Vulnerabilities catalog, further indicating limited known use. Attackers can exploit this flaw by constructing a malicious URL that contains the unvalidated redirect_to parameter; a victim clicking the link will be redirected after dismissing the banner. No authentication or additional privileges are required."}}}}, "created": "2026-02-18T10:32:53.014769+00:00", "updated": "2026-04-15T18:30:10.938344+00:00", "vendors": ["kaizencoders", "kaizencoders$PRODUCT$url_shortify_\u2013_simple_and_easy_url_shortener", "wordpress", "wordpress$PRODUCT$wordpress"]}