CVE-2026-1277, an unauthenticated open redirect (CWE-601, CVSS 6.1) in the URL Shortify WordPress plugin through version 1.12.1, is CISA KEV-confirmed with active exploitation in the wild despite its medium CVSS rating. Exploitation requires no authentication and enables attackers to redirect site visitors to attacker-controlled phishing infrastructure by abusing an unvalidated redirect_to parameter in the plugin’s dismissal handler. Immediate action is to disable or remove the plugin on all affected WordPress installations and upgrade to a patched version once available from kaizencoders; apply WAF rules blocking unauthenticated requests with external URL values in redirect parameters as an interim control.