CVE-2026-28106
Open Redirect Vulnerability in B2BKing Premium Enables Phishing
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kings_plugins | b2bking_premium | to 5.3.80 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28106 is an Open Redirection vulnerability found in the WordPress B2BKing Premium Plugin versions up to and including 5.3.80.
This vulnerability allows a malicious actor to redirect users from a legitimate site to a malicious one due to improper validation of redirect URLs.
Exploitation requires user interaction, such as clicking a malicious link, visiting a crafted page, or submitting a form, and involves a privileged user performing the action.
It is classified under OWASP Top 10 A1: Broken Access Control with a CVSS score of 4.7, indicating low severity and low priority.
How can this vulnerability impact me? :
The primary risk of this vulnerability is phishing attacks, where users are tricked into visiting malicious sites after initially accessing a legitimate one.
Because exploitation requires user interaction and a privileged user to perform the redirect, the likelihood of exploitation is considered low.
If exploited, it could lead to users being exposed to malicious content or scams hosted on untrusted sites.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an Open Redirection issue in the B2BKing Premium plugin that requires user interaction such as clicking a malicious link or submitting a form. Detection would involve monitoring for suspicious redirect URLs or unusual user redirection behavior on your WordPress site.
Since the vulnerability is related to improper validation of redirect URLs, you can detect potential exploitation attempts by analyzing web server logs for redirect requests containing unexpected or external URLs.
No specific commands are provided in the available resources, but general approaches include:
- Using web server log analysis tools (e.g., grep) to search for redirect parameters pointing to external or untrusted domains.
- Monitoring HTTP response codes 3xx with Location headers redirecting to suspicious URLs.
- Using web application scanners or security plugins that can detect open redirect patterns.
What immediate steps should I take to mitigate this vulnerability?
There is currently no official patch available for this vulnerability.
Immediate mitigation steps include:
- Avoid clicking on suspicious links or redirect URLs related to the B2BKing Premium plugin.
- Limit privileged user interactions that could trigger the redirect vulnerability.
- Implement web application firewall (WAF) rules to block or monitor suspicious redirect attempts.
- Educate users about phishing risks related to this vulnerability.
Monitor for updates from the plugin developer or security advisories for an official patch.