Skip to main content

WordPress Toolkit CVE-2026-47365

| EUVDEUVD-2026-36376 CRITICAL
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-12 hackerone GHSA-h8q3-g2vj-75c6
9.9
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable cPanel UI with any low-tier authenticated account (PR:L, AV:N, AC:L), no user interaction, and argument injection crosses tenant boundary (S:C) yielding full C/I/A on victim accounts.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
CVE Published
Jun 22, 2026 - 06:03 cve.org
CRITICAL 9.9
Patch available
Jun 12, 2026 - 05:01 EUVD
Analysis Generated
Jun 12, 2026 - 03:44 vuln.today

DescriptionCVE.org

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

AnalysisAI

Cross-tenant privilege escalation in WebPros WordPress Toolkit prior to 6.11.0 (as bundled with cPanel & WHM) allows an authenticated low-privilege account holder to inject arguments into the wp-toolkit CLI and execute commands in the context of another tenant on the same shared server. With a CVSS of 9.9 and scope change, a single compromised hosting account can pivot to siblings on the same host. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Technical ContextAI

WordPress Toolkit is a management plugin for cPanel & WHM (WebPros) that wraps the underlying wp-toolkit CLI to administer WordPress installations across hosting tenants. The flaw is a CWE-88 Argument Injection: user-controllable input is concatenated into the CLI invocation without proper option/argument separation (e.g., missing '--' terminator or insufficient validation of values that begin with '-'), letting an attacker smuggle additional flags that change which tenant or account the CLI operates on. Because cPanel/WHM is multi-tenant, the wp-toolkit CLI runs with elevated privilege and accepts account-targeting flags, which is what makes the injection cross-tenant rather than self-only. Affected CPE is cpe:2.3:a:webpros:wordpress-toolkit:*:*:*:*:*:*:*:* with the fix landing in 6.11.0.

RemediationAI

Vendor-released patch: WordPress Toolkit 6.11.0 - upgrade cPanel & WHM servers to a build that ships this version or later, following the cPanel advisory at https://support.cpanel.net/hc/en-us/articles/41004584983703-WP-Toolkit-CVE-2026-47365. Until the upgrade is applied, compensating controls include disabling the WordPress Toolkit feature for all non-trusted reseller and end-user packages in WHM Feature Manager (trade-off: customers lose self-service WordPress management), restricting wp-toolkit CLI access to administrators only via cPanel role configuration, and monitoring wp-toolkit invocation logs for arguments containing unexpected account identifiers or flags injected by another user. On busy shared-hosting nodes, also audit recently created or modified WordPress installations across tenants for signs of cross-account changes before patching.

Share

CVE-2026-47365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy