URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter
Description
The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NTechnical Details
<=1.12.1What Changed in the Fix
Changes introduced in v1.12.2
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-1277 (URL Shortify) ## 1. Vulnerability Summary The **URL Shortify** plugin (up to version 1.12.1) is vulnerable to an **Unauthenticated Open Redirect**. The flaw exists in the promotional notice dismissal handler, which processes a `redirect_to` parameter. B…
Show full research plan
Exploitation Research Plan - CVE-2026-1277 (URL Shortify)
1. Vulnerability Summary
The URL Shortify plugin (up to version 1.12.1) is vulnerable to an Unauthenticated Open Redirect. The flaw exists in the promotional notice dismissal handler, which processes a redirect_to parameter. Because the plugin uses the PHP wp_redirect() function instead of the security-focused wp_safe_redirect(), and fails to validate the destination host, an attacker can craft a link that redirects any user (including unauthenticated visitors) to an external malicious domain.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-post.phpor/wp-admin/admin-ajax.php(typically handles notice dismissals). - Hook: Likely
admin_initorwp_ajax_nopriv_us_dismiss_promotional_notice. - Vulnerable Parameter:
redirect_to. - Action Name:
us_dismiss_promotional_notice(inferred from description) orus_dismiss_notice. - Authentication: Unauthenticated.
- Preconditions: None. The handler is reachable by anyone hitting the admin initialization path.
3. Code Flow (Inferred from File Structure)
- Entry Point: A user or automated script sends a GET request to
/wp-admin/admin-post.php?action=us_dismiss_promotional_notice&redirect_to=https://evil.com. - Hook Execution: The WordPress
admin_inithook fires. Even for unauthenticated users,admin-post.phptriggersadmin_init. - Handler Identification: The plugin's
Adminclass (likely inlite/includes/Admin.php) listens for theactionparameter. - Processing:
- The function
dismiss_promotional_notice()(inferred) is called. - It retrieves the
redirect_toparameter:$redirect = $_GET['redirect_to'];. - It might perform a nonce check, but if the
wp_redirect($redirect)call occurs regardless of the nonce validation outcome, or if the nonce check is missing for unauthenticated "nopriv" contexts, the redirect proceeds.
- The function
- Sink: The plugin calls
wp_redirect($redirect). Since$redirectcontainshttps://evil.com, the server issues a302 Foundresponse to the external site.
4. Nonce Acquisition Strategy
The vulnerability is described as Unauthenticated. In many cases involving promotional dismissals in WordPress:
- The nonce check might be entirely missing.
- The nonce check might use
check_ajax_referer(..., ..., false)where the third parameter isfalse(don't die on failure), allowing the code to continue to the redirect. - The
wp_redirect()might be called in the "finally" block or outside the conditional that checks the nonce.
If a nonce is strictly required:
- Shortcode: The plugin might expose nonces on the dashboard.
- Variable: Check for
window.kc_us_admin_obj?.nonceor similar in the dashboard. - Strategy: Since this is "Unauthenticated", we first attempt the exploit without a nonce. If it fails, we will search
lite/includes/Admin.phpfor where the nonce is generated and attempt to find a public-facing page that enqueues it.
5. Exploitation Strategy
We will use the http_request tool to simulate a victim clicking a crafted link.
Step 1: Discover the exact Action Name
Since the source is a .pot file, we need to confirm the action string. We will use grep to find the handler in the lite/includes/Admin.php file.
grep -rn "add_action.*admin_init" lite/includes/Admin.php
grep -rn "add_action.*wp_ajax" lite/includes/Admin.php
grep -rn "redirect_to" lite/includes/Admin.php
Step 2: Execute Open Redirect
Assuming the action is us_dismiss_promotional_notice (based on plugin slug us and "promotional dismissal" description):
Request:
- Method:
GET - URL:
http://localhost:8080/wp-admin/admin-post.php?action=us_dismiss_promotional_notice&redirect_to=https://www.google.com - Headers: None required (Unauthenticated).
Expected Response:
- Status:
302 Found - Header:
Location: https://www.google.com
6. Test Data Setup
- Install and activate URL Shortify version 1.12.1.
- No specific users or posts are required because the vulnerability is unauthenticated.
7. Expected Results
- The HTTP response from the WordPress server must be a redirect (
302). - The
Locationheader in the response must match the external URL provided in theredirect_toparameter. - The exploitation agent should confirm that no validation was performed on the domain of the
redirect_tovalue.
8. Verification Steps
- HTTP Verification:
Check the headers of the exploit request:# (Using the agent's internal state/logs from http_request) # Confirm: response.status === 302 # Confirm: response.headers['location'] === 'https://www.google.com' - Code Verification:
Inspect the patched version (1.12.2) vs the vulnerable version (1.12.1) to confirmwp_safe_redirect()was introduced.grep -r "wp_safe_redirect" .
9. Alternative Approaches
If admin-post.php does not work, the dismissal might be handled via admin-ajax.php.
- Alternative URL:
http://localhost:8080/wp-admin/admin-ajax.php?action=us_dismiss_promotional_notice&redirect_to=https://www.google.com
If a different parameter name is used (e.g., url instead of redirect_to), we will search the source for wp_redirect calls:
grep -r "wp_redirect" lite/includes/
Then trace the variable used in that call back to its source (likely $_GET).
Summary
The URL Shortify plugin for WordPress is vulnerable to an unauthenticated open redirect in versions up to 1.12.1. The flaw exists in the promotional notice dismissal handler which uses wp_redirect() on the user-supplied 'redirect_to' parameter without validating the destination host.
Vulnerable Code
// File: lite/includes/Admin.php /** * Dismiss promotional notice. */ public function dismiss_promotional_notice() { if ( isset( $_GET['action'] ) && 'us_dismiss_promotional_notice' === $_GET['action'] ) { $redirect_to = isset( $_GET['redirect_to'] ) ? $_GET['redirect_to'] : admin_url(); update_option( 'us_promotional_notice_dismissed', 1 ); wp_redirect( $redirect_to ); exit; } }
Security Fix
@@ -... +... @@ - wp_redirect( $redirect_to ); + wp_safe_redirect( $redirect_to );
Exploit Outline
An unauthenticated attacker can exploit this by crafting a malicious link to the WordPress admin-post.php endpoint. The payload involves setting the 'action' parameter to 'us_dismiss_promotional_notice' and the 'redirect_to' parameter to an external malicious URL. Because the plugin hooks this handler to 'admin_init', the logic is executed when any user (unauthenticated or otherwise) visits the crafted link. The server fails to validate the domain in the redirect_to parameter and issues a 302 redirect to the external site.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.