CVE-2026-28106 is a security vulnerability classified as CWE-601 (URL Redirection to Untrusted Site or Open Redirect) affecting the Kings Plugins B2BKing Premium product. This vulnerability exists in versions before 5.4.20 and allows attackers to manipulate URL parameters to redirect users to malicious external websites. The exploit involves crafting URLs that appear legitimate but redirect victims to phishing or malware-hosting sites, thereby undermining user trust and potentially compromising user credentials or systems. The vulnerability is remotely exploitable over the network without requiring any privileges but does require user interaction to click on the malicious link. The vulnerability does not affect the integrity or availability of the B2BKing plugin itself but poses a confidentiality risk by enabling phishing attacks. The CVSS 3.1 base score is 4.7, indicating medium severity, with vector metrics AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N, meaning network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low confidentiality impact. No public exploits or patches are currently listed, but the vendor has addressed the issue in version 5.4.20. The vulnerability is typical of open redirect flaws where insufficient validation of redirect URLs allows attackers to abuse trusted domains to lure victims to malicious sites.

The primary impact of CVE-2026-28106 is on user confidentiality and trust. Attackers can exploit the open redirect to conduct phishing campaigns by sending crafted URLs that appear to originate from a trusted B2BKing Premium site but redirect users to malicious domains. This can lead to credential theft, malware infection, or social engineering attacks. While the plugin’s integrity and availability remain unaffected, the reputational damage to organizations using the vulnerable plugin can be significant. Businesses relying on B2BKing Premium for B2B e-commerce may see increased phishing risks targeting their customers or partners. The vulnerability could also be leveraged as part of multi-stage attacks, increasing overall risk exposure. Since exploitation requires user interaction, the impact is somewhat limited but still notable given the widespread use of B2BKing Premium in online commerce platforms.

To mitigate CVE-2026-28106, organizations should immediately upgrade B2BKing Premium to version 5.4.20 or later, where the vulnerability has been addressed. In addition, implement strict validation and sanitization of all URL parameters used for redirection to ensure they only allow trusted internal URLs. Employ allowlists for redirect destinations rather than blacklists. Educate users and staff about phishing risks associated with suspicious links, especially those appearing to come from trusted domains. Use web application firewalls (WAFs) to detect and block suspicious redirect patterns. Monitor logs for unusual redirect activity and conduct regular security assessments of plugins and third-party components. Consider implementing Content Security Policy (CSP) headers to restrict navigation to trusted domains. Finally, maintain an incident response plan to quickly address phishing incidents stemming from this vulnerability.