CVE-2026-28106
Received Received - Intake
Open Redirect Vulnerability in B2BKing Premium Enables Phishing

Publication date: 2026-03-06

Last updated on: 2026-03-09

Assigner: Patchstack

Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Kings Plugins B2BKing Premium allows Phishing.This issue affects B2BKing Premium: from n/a before 5.4.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28106
EUVD
EUVD-2026-10030
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kings_plugins b2bking_premium to 5.3.80 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28106 is an Open Redirection vulnerability found in the WordPress B2BKing Premium Plugin versions up to and including 5.3.80.

This vulnerability allows a malicious actor to redirect users from a legitimate site to a malicious one due to improper validation of redirect URLs.

Exploitation requires user interaction, such as clicking a malicious link, visiting a crafted page, or submitting a form, and involves a privileged user performing the action.

It is classified under OWASP Top 10 A1: Broken Access Control with a CVSS score of 4.7, indicating low severity and low priority.

Impact Analysis

The primary risk of this vulnerability is phishing attacks, where users are tricked into visiting malicious sites after initially accessing a legitimate one.

Because exploitation requires user interaction and a privileged user to perform the redirect, the likelihood of exploitation is considered low.

If exploited, it could lead to users being exposed to malicious content or scams hosted on untrusted sites.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves an Open Redirection issue in the B2BKing Premium plugin that requires user interaction such as clicking a malicious link or submitting a form. Detection would involve monitoring for suspicious redirect URLs or unusual user redirection behavior on your WordPress site.

Since the vulnerability is related to improper validation of redirect URLs, you can detect potential exploitation attempts by analyzing web server logs for redirect requests containing unexpected or external URLs.

No specific commands are provided in the available resources, but general approaches include:

  • Using web server log analysis tools (e.g., grep) to search for redirect parameters pointing to external or untrusted domains.
  • Monitoring HTTP response codes 3xx with Location headers redirecting to suspicious URLs.
  • Using web application scanners or security plugins that can detect open redirect patterns.
Mitigation Strategies

There is currently no official patch available for this vulnerability.

Immediate mitigation steps include:

  • Avoid clicking on suspicious links or redirect URLs related to the B2BKing Premium plugin.
  • Limit privileged user interactions that could trigger the redirect vulnerability.
  • Implement web application firewall (WAF) rules to block or monitor suspicious redirect attempts.
  • Educate users about phishing risks related to this vulnerability.

Monitor for updates from the plugin developer or security advisories for an official patch.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart