CVE-2026-1277 Scanner
CVE-2026-1277 Scanner - Open Redirect vulnerability in URL Shortify (WordPress Plugin)
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
13 days 1 hour
Scan only one
URL
Toolbox
URL Shortify is a WordPress plugin used to shorten URLs on websites. It is widely used by website administrators and digital marketers for managing and tracking the performance of shortened links. This plugin facilitates easier link management and branding for URLs. With its features, users can create custom branded short links that are trackable and manageable. URL Shortify is typically used on WordPress sites to improve link display and user engagement. Its popularity in WordPress community comes from its integration with various marketing tools.
The vulnerability detected in URL Shortify is an Open Redirect. It arises due to insufficient validation on the 'redirect_to' parameter within the promotional dismissal handler. This type of vulnerability allows attackers to redirect users to potentially malicious sites. Open Redirects can facilitate phishing attacks or the distribution of malware. The exploit does not require authentication, making it easier for attackers to target users. This vulnerability underscores the importance of proper validation for redirect functionalities in web applications.
The Open Redirect vulnerability in URL Shortify is specifically related to the 'redirect_to' parameter. Attackers can craft a link that uses this parameter to direct users to a malicious site. The endpoints involved in the exploit include specific promotional and welcome offer handlers in the admin-ajax.php file. The vulnerability affects all versions up to and including 1.12.1. The improper validation allows for manipulation of redirect destinations, posing significant risks if exploited. Correcting this flaw requires updating the plugin to a secure version.
Exploiting this vulnerability can have several serious effects. Users may unintentionally visit malicious sites, leading to potential exposure to phishing attacks or malware infections. This can compromise user data and trust if attackers impersonate legitimate sites. Redirect vulnerabilities undermine the reliability of the URL shortening service, possibly impacting campaigns involving shortened URLs. The vulnerability might also be used in broader attacks against the WordPress infrastructure. For administrators, this could lead to increased support requests or reputational damage to their sites.
REFERENCES
