CVE-2026-28106 is classified as a CWE-601 Open Redirect vulnerability found in Kings Plugins B2BKing Premium, a widely used B2B e-commerce plugin. This vulnerability allows an attacker to craft URLs that redirect users from a legitimate site using the plugin to an untrusted external site. The vulnerability affects all versions up to 5.3.80, with no specific version exclusions noted. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), such as clicking a malicious link. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact is limited to confidentiality (C:L) with no impact on integrity or availability. Open Redirect vulnerabilities are commonly exploited in phishing campaigns to trick users into visiting malicious websites that may harvest credentials or deliver malware. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a popular plugin used in B2B e-commerce environments poses a risk to organizations relying on this software. The lack of available patches at the time of publication increases the urgency for mitigation through alternative controls. The vulnerability arises from insufficient validation or sanitization of URL parameters that control redirection destinations, allowing attackers to manipulate these parameters to redirect users to attacker-controlled domains.

The primary impact of this vulnerability is an increased risk of phishing attacks targeting users of websites running B2BKing Premium. Attackers can exploit the open redirect to craft URLs that appear legitimate but redirect victims to malicious sites designed to steal credentials, distribute malware, or conduct social engineering. This can lead to compromised user accounts, data breaches, and reputational damage for affected organizations. While the vulnerability does not directly affect system integrity or availability, the indirect consequences of successful phishing can be severe, including unauthorized access and financial loss. Organizations with large user bases or those handling sensitive B2B transactions are at higher risk. The medium CVSS score reflects the moderate ease of exploitation combined with limited direct technical impact but significant potential for social engineering abuse. The absence of known exploits suggests the vulnerability is not yet widely weaponized, but proactive mitigation is critical to prevent future attacks.

1. Implement strict validation and sanitization of all URL parameters used for redirection within B2BKing Premium or any custom code interacting with it. 2. Employ allowlisting of redirect destinations to ensure only trusted URLs are permitted. 3. Use security headers such as Content Security Policy (CSP) to restrict navigation to trusted domains. 4. Educate users and staff about phishing risks and encourage verification of URLs before clicking. 5. Monitor web traffic and logs for suspicious redirect patterns or unusual URL parameters. 6. Apply web application firewalls (WAF) rules to detect and block open redirect attempts. 7. Stay updated on vendor advisories and apply patches promptly once available. 8. Consider implementing multi-factor authentication (MFA) to reduce the impact of credential theft resulting from phishing. 9. If possible, temporarily disable or restrict the vulnerable redirection functionality until a patch is released. 10. Conduct regular security assessments and penetration testing focusing on URL handling and redirection logic.