Skip to main content

Wp Squared

5 CVEs product

Monthly

CVE-2026-29206 HIGH PATCH This Week

SQL injection in the cPanel/WHM sqloptimizer utility script allows attackers to execute arbitrary SQL queries as the MySQL root user when Slow Query logging is enabled. The flaw affects multiple cPanel branches (11.86 through 11.136), WP Squared, and the CloudLinux 6/CentOS 6 builds, with no public exploit identified at time of analysis. EPSS is low (0.03%) and SSVC marks exploitation as 'none', but technical impact is rated total because the injection runs with full database privileges.

SQLi Cpanel Wp Squared Cpanel Cloudlinux 6 Centos 6
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32991 HIGH PATCH This Week

Privilege escalation in cPanel and WP Squared allows an authenticated team member account to elevate privileges to the team owner, granting full control over the hosting account. The flaw stems from improper authorization checks within the team-member privilege model and carries a CVSS 7.1 (high integrity impact). EPSS is very low (0.03%) and no public exploit has been identified at time of analysis, but a vendor patch is available.

Authentication Bypass Cpanel Wp Squared Cpanel Cloudlinux 6 Centos 6
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-29201 HIGH PATCH This Week

Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

Information Disclosure Cpanel Wp Squared Cpanel Centos 6 Cloudlinux 6
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-29203 MEDIUM PATCH This Month

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

Privilege Escalation Cpanel Wp Squared Cpanel Centos 6 Cloudlinux 6
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41940 CRITICAL POC KEV EUVD KEV PATCH THREAT NEWS Act Now

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

Authentication Bypass Cpanel Whm Wp Squared
NVD GitHub VulDB Exploit-DB
CVSS 4.0
9.3
EPSS
16.5%
Threat
5.4
EPSS 0% CVSS 8.1
HIGH PATCH This Week

SQL injection in the cPanel/WHM sqloptimizer utility script allows attackers to execute arbitrary SQL queries as the MySQL root user when Slow Query logging is enabled. The flaw affects multiple cPanel branches (11.86 through 11.136), WP Squared, and the CloudLinux 6/CentOS 6 builds, with no public exploit identified at time of analysis. EPSS is low (0.03%) and SSVC marks exploitation as 'none', but technical impact is rated total because the injection runs with full database privileges.

SQLi Cpanel Wp Squared +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in cPanel and WP Squared allows an authenticated team member account to elevate privileges to the team owner, granting full control over the hosting account. The flaw stems from improper authorization checks within the team-member privilege model and carries a CVSS 7.1 (high integrity impact). EPSS is very low (0.03%) and no public exploit has been identified at time of analysis, but a vendor patch is available.

Authentication Bypass Cpanel Wp Squared +1
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

Information Disclosure Cpanel Wp Squared +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

Privilege Escalation Cpanel Wp Squared +1
NVD VulDB
EPSS 17% 5.4 CVSS 9.3
CRITICAL POC KEV EUVD KEV PATCH THREAT Act Now

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

Authentication Bypass Cpanel Whm Wp Squared
NVD GitHub VulDB Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy