What is CVE-2026-28106?

A medium-severity URL redirection vulnerability in Kings Plugins B2BKing Premium allows potential phishing attacks. Organizations must address this vulnerability to protect their users from untrusted redirects.

What is the severity of CVE-2026-28106?

CVE-2026-28106 has a severity rating of MEDIUM with a CVSS base score of 4.7.

CVE-2026-28106 | Medium Vulnerability in Kings Plugins B2BKing Premium

CVE-2026-28106 is a URL Redirection to Untrusted Site ('Open Redirect') vulnerability affecting the B2BKing Premium plugin. This medium-severity vulnerability, classified under CVSS 4.7, poses a risk as it can be exploited to facilitate phishing attacks. The vulnerability exists due to insufficient validation of user input, which allows attackers to redirect users to malicious sites.

The vulnerability affects versions of B2BKing Premium prior to 5.4.20 and requires user interaction to trigger. The risk to organizations includes the potential compromise of sensitive user information and loss of trust, as phishing attacks can lead to unauthorized data access.

Currently, this vulnerability has a deferred status, meaning that while it has been identified, it may not yet have been addressed by the vendor. Organizations should prioritize patching this vulnerability once a fix is made available to mitigate the risk.

Given the potential for exploitation, organizations are advised to monitor for updates and apply patches as soon as they become available, especially in environments using the B2BKing Premium plugin.

Vulnerability Details

The vulnerability allows attackers to redirect users to untrusted sites, which can be exploited to conduct phishing attacks. The official CVE description notes that this issue affects B2BKing Premium prior to version 5.4.20. The CVSS score of 4.7 indicates a medium severity level, highlighting the importance of addressing this vulnerability.

The vulnerability classification falls under CWE-601, indicating an open redirect issue. Organizations should be aware of this classification as it can help in understanding the nature of the vulnerability.

Technical Analysis

The root cause of CVE-2026-28106 is due to insufficient validation of user input within the B2BKing Premium plugin. The attack vector is network-based, requiring low complexity for exploitation. Importantly, no privileges are required to exploit this vulnerability, and user interaction is necessary, making it a targeted attack.

Regarding impacts, the vulnerability has a low confidentiality impact, no integrity impact, and no availability impact. However, the potential for phishing attacks can lead to significant organizational risks.

Risk & Impact Analysis

The real-world risk associated with CVE-2026-28106 is significant, particularly for organizations that rely on B2BKing Premium for their operations. Phishing attacks can lead to unauthorized access to sensitive user data, resulting in financial loss and reputational damage.

Organizations should assess their exposure to this vulnerability and take immediate steps to patch or mitigate this risk. The urgency for addressing this vulnerability is moderate, as it has been classified as medium severity. Timely remediation is necessary to protect user data and maintain organizational integrity.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of B2BKing Premium prior to 5.4.20. Organizations using earlier versions should plan for an upgrade to mitigate this vulnerability.

Mitigation & Remediation

To remediate this vulnerability, organizations should upgrade to the latest version of B2BKing Premium. If the patch is not available, consider implementing input validation checks to mitigate potential exploitation. Additionally, regular security assessments can help identify vulnerabilities.

Detection Guidance

Organizations should monitor logs for unusual redirect patterns and user reports of phishing attempts. Behavioral anomalies indicating potential exploitation should also be investigated.

AppSecure Threat Intelligence Insight

The CVE-2026-28106 vulnerability reflects ongoing trends in web application security, particularly concerning input validation issues. Security teams should prioritize input validation as a part of their application security strategy. For more insights, organizations can explore resources on secure coding practices and consider ongoing training for developers to mitigate such vulnerabilities.

Additionally, implementing a robust penetration testing methodology can help in identifying similar weaknesses in the organization's applications.

Organizations should also enhance their security posture through continuous security assessments and reviews, as emphasized in the vulnerability management program to ensure ongoing protection against evolving threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-28106: Medium Vulnerability in Kings Plugins B2BKing Premium