CVE-2026-1277 (CVSS 6.1) is an open redirect vulnerability in the URL Shortify WordPress plugin through version 1.12.1, confirmed in CISA KEV with active exploitation enabling phishing and credential harvesting via crafted links that route users from trusted WordPress domains to attacker-controlled sites. The vulnerability resides in the promotional dismissal handler’s failure to validate the redirect_to parameter before processing, requiring no authentication. Upgrade beyond version 1.12.1 immediately or disable the plugin if patching cannot be completed promptly; audit existing short links for entries pointing to external or suspicious domains.