CVE-2026-1277 is a medium-severity (CVSS 6.1) unauthenticated open redirect in the URL Shortify WordPress plugin through version 1.12.1, confirmed by both CISA KEV and VulnCheck KEV as actively exploited and used as a delivery mechanism for phishing and malware distribution campaigns. Immediately deactivate the plugin on all affected WordPress installations and upgrade to the patched version (confirm current patched release via wordpress.org/plugins/url-shortify); also deploy WAF rules blocking unsanitized redirect_to parameter abuse as a standing control.