I'm not convinced this is a real vulnerability. If a hacker can update the url on your website, then couldn't they just send you to the malicious website in the first place? I can work on this and fix it so it won't redirect off of your website, but I'm not sure this is really worth spending time on or worrying about. The bug seems to assume they can update the url on your website to change the url parameter, but couldn't just update the url itself?