The URL Shortify plugin for WordPress is vulnerable to a security risk in versions up to and including 1.6.5. This risk is called Stored Cross-Site Scripting and it can only affect multi-site installations and installations where a security feature called unfiltered_html has been disabled. Administrators with the highest level of permissions can use the “Link Prefix” setting to inject arbitrary web scripts into pages. Whenever a user visits one of these injected pages, the web scripts will execute. This is due to insufficient input sanitization and output escaping on the “Link Prefix” setting.