The URL Shortify WordPress plugin (all versions through 1.12.1) contains an unauthenticated open redirect vulnerability (CWE-601, CVSS 6.1) confirmed in both CISA KEV and VulnCheck KEV, enabling attackers to weaponize legitimate short links for phishing and malware delivery at scale without any session or privilege. No patched version was confirmed available at analysis time; the plugin should be disabled or removed from all public-facing WordPress installations immediately pending confirmation of a fix in the WordPress plugin repository. WAF rules blocking external values in the redirect_to parameter provide a compensating control while remediation is prepared.