The URL Shortify WordPress plugin (all versions through 1.12.1) is affected by CVE-2026-1277, a CISA KEV-confirmed open redirect vulnerability that allows unauthenticated attackers to craft links silently redirecting users to attacker-controlled sites, enabling credential phishing and brand impersonation. The primary risk is elevated for organizations that distribute shortened links through official communications channels, where trust in the sending domain amplifies the phishing effectiveness. Deactivate the plugin immediately on all public-facing WordPress installations, monitor for a vendor-confirmed patched release above version 1.12.1, and audit web server logs for prior exploitation of the redirect_to parameter.