VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 9 known issues Latest disclosed Feb 19, 2026

URL Shortify – Simple and Easy URL Shortener Vulnerabilities

Review known vulnerability records for the WordPress plugin URL Shortify – Simple and Easy URL Shortener (`url-shortify`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-25385, CVE-2026-1277 and CVE-2025-13355, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
9
High or Critical
1
Patch Coverage
100%
Last Updated
Feb 25, 2026
Priority CVE Quick Links

Fast paths into URL Shortify – Simple and Easy URL Shortener CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
9
CVE-2023-4294 High 1.7.6
CVE-2023-4294 URL Shortify – Simple and Easy URL Shortener Stored Cross-Site Scripting

URL Shortify <= 1.7.5 - Unauthenticated Stored Cross-Site Scripting via Referrer Header

CVE-2026-25385 Medium 1.12.4
CVE-2026-25385 URL Shortify – Simple and Easy URL Shortener Server-Side Request Forgery

URL Shortify <= 1.12.3 - Authenticated (Author+) Server-Side Request Forgery

CVE-2025-13355 Medium 1.11.4
CVE-2025-13355 URL Shortify – Simple and Easy URL Shortener Cross-Site Scripting

URL Shortify <= 1.11.3 - Reflected Cross-Site Scripting

CVE-2025-12684 Medium 1.11.3
CVE-2025-12684 URL Shortify – Simple and Easy URL Shortener Cross-Site Scripting

URL Shortify <= 1.11.2 - Reflected Cross-Site Scripting

CVE-2026-1277 Medium 1.12.2
CVE-2026-1277 URL Shortify – Simple and Easy URL Shortener Vulnerability

URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter

CVE-2025-32134 Medium 1.10.6
CVE-2025-32134 URL Shortify – Simple and Easy URL Shortener Stored Cross-Site Scripting

URL Shortify <= 1.10.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

CVE-2023-5605 Medium 1.7.9.1
CVE-2023-5605 URL Shortify – Simple and Easy URL Shortener Stored Cross-Site Scripting

URL Shortify <= 1.7.9 - Authenticated (Admin+) Stored Cross-Site Scripting

CVE-2023-3129 Medium 1.7.0
CVE-2023-3129 URL Shortify – Simple and Easy URL Shortener Stored Cross-Site Scripting

URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress <= 1.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for URL Shortify – Simple and Easy URL Shortener so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
9 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2026-25385, CVE-2026-1277 and CVE-2025-13355
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for URL Shortify – Simple and Easy URL Shortener

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-25385
CVE-2026-25385: URL Shortify <= 1.12.3 - Authenticated (Author+) Server-Side Request Forgery

The URL Shortify – Simple and Easy URL Shortener plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.12.3. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitra...

Published
Feb 19, 2026
Patched Release
1.12.4
Affected Versions
Versions up to 1.12.3
Next Step
Update to 1.12.4 or newer if supported.
Open CVE-2026-25385 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1277
CVE-2026-1277: URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect u...

Published
Feb 17, 2026
Patched Release
1.12.2
Affected Versions
Versions up to 1.12.1
Next Step
Update to 1.12.2 or newer if supported.
Open CVE-2026-1277 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13355
CVE-2025-13355: URL Shortify <= 1.11.3 - Reflected Cross-Site Scripting

The URL Shortify plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.11.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

Published
Nov 24, 2025
Patched Release
1.11.4
Affected Versions
Versions up to 1.11.3
Next Step
Update to 1.11.4 or newer if supported.
Open CVE-2025-13355 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12684
CVE-2025-12684: URL Shortify <= 1.11.2 - Reflected Cross-Site Scripting

The URL Shortify plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.11.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

Published
Nov 24, 2025
Patched Release
1.11.3
Affected Versions
Versions up to 1.11.2
Next Step
Update to 1.11.3 or newer if supported.
Open CVE-2025-12684 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-32134
CVE-2025-32134: URL Shortify <= 1.10.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

The URL Shortify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.10.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above,...

Published
Apr 04, 2025
Patched Release
1.10.6
Affected Versions
Versions up to 1.10.5.1
Next Step
Update to 1.10.6 or newer if supported.
Open CVE-2025-32134 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-5605
CVE-2023-5605: URL Shortify <= 1.7.9 - Authenticated (Admin+) Stored Cross-Site Scripting

The URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes...

Published
Nov 16, 2023
Patched Release
1.7.9.1
Affected Versions
Versions up to 1.7.9
Next Step
Update to 1.7.9.1 or newer if supported.
Open CVE-2023-5605 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-4294
CVE-2023-4294: URL Shortify <= 1.7.5 - Unauthenticated Stored Cross-Site Scripting via Referrer Header

The URL Shortify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the referrer header in versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

Published
Aug 21, 2023
Patched Release
1.7.6
Affected Versions
Versions up to 1.7.5
Next Step
Update to 1.7.6 or newer if supported.
Open CVE-2023-4294 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-3129
CVE-2023-3129: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress <= 1.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting

The URL Shortify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping on the "Link Prefix" setting. This makes it possible for authenticated attacker...

Published
Jun 19, 2023
Patched Release
1.7.0
Affected Versions
Versions before 1.7.0
Next Step
Update to 1.7.0 or newer if supported.
Open CVE-2023-3129 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-24749
CVE-2021-24749: URL Shortify <= 1.5.0 - Cross-Site Request Forgery

The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack.

Published
Oct 28, 2021
Patched Release
1.5.1
Affected Versions
Versions up to 1.5.0
Next Step
Update to 1.5.1 or newer if supported.
Open CVE-2021-24749 Report Open CVE Reference