Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable cPanel UI with any low-tier authenticated account (PR:L, AV:N, AC:L), no user interaction, and argument injection crosses tenant boundary (S:C) yielding full C/I/A on victim accounts.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
AnalysisAI
Cross-tenant privilege escalation in WebPros WordPress Toolkit prior to 6.11.0 (as bundled with cPanel & WHM) allows an authenticated low-privilege account holder to inject arguments into the wp-toolkit CLI and execute commands in the context of another tenant on the same shared server. With a CVSS of 9.9 and scope change, a single compromised hosting account can pivot to siblings on the same host. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Technical ContextAI
WordPress Toolkit is a management plugin for cPanel & WHM (WebPros) that wraps the underlying wp-toolkit CLI to administer WordPress installations across hosting tenants. The flaw is a CWE-88 Argument Injection: user-controllable input is concatenated into the CLI invocation without proper option/argument separation (e.g., missing '--' terminator or insufficient validation of values that begin with '-'), letting an attacker smuggle additional flags that change which tenant or account the CLI operates on. Because cPanel/WHM is multi-tenant, the wp-toolkit CLI runs with elevated privilege and accepts account-targeting flags, which is what makes the injection cross-tenant rather than self-only. Affected CPE is cpe:2.3:a:webpros:wordpress-toolkit:*:*:*:*:*:*:*:* with the fix landing in 6.11.0.
RemediationAI
Vendor-released patch: WordPress Toolkit 6.11.0 - upgrade cPanel & WHM servers to a build that ships this version or later, following the cPanel advisory at https://support.cpanel.net/hc/en-us/articles/41004584983703-WP-Toolkit-CVE-2026-47365. Until the upgrade is applied, compensating controls include disabling the WordPress Toolkit feature for all non-trusted reseller and end-user packages in WHM Feature Manager (trade-off: customers lose self-service WordPress management), restricting wp-toolkit CLI access to administrators only via cPanel role configuration, and monitoring wp-toolkit invocation logs for arguments containing unexpected account identifiers or flags injected by another user. On busy shared-hosting nodes, also audit recently created or modified WordPress installations across tenants for signs of cross-account changes before patching.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36376
GHSA-h8q3-g2vj-75c6