CRITICAL🇵🇱 Wersja polska

CVE-2026-47365

CVSS 9.9v3.1pub. 2026-06-12

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

🤖 AI Analysis
How it works

The CWE-88 (argument injection) vulnerability occurs because input supplied by an authenticated user is improperly sanitized before being passed as arguments to the wp-toolkit CLI interface. An attacker can inject additional arguments that change the command execution context — as a result, the operation is performed on another tenant's account, bypassing account isolation mechanisms in the cPanel & WHM environment. No user interaction or elevated privileges are required — only possession of any authenticated account is necessary.

Impact

An attacker can execute arbitrary wp-toolkit CLI commands as another account on the system, leading to complete takeover of another tenant's WordPress site, data theft, file modification, and potential further lateral movement in the hosting environment.

Mitigation & patch

Update WordPress Toolkit to version 6.11.0 or later. Detailed information is available in the official cPanel security bulletin at the reference provided: https://support.cpanel.net/hc/en-us/articles/41004584983703-WP-Toolkit-CVE-2026-47365

Who is affected

WordPress Toolkit prior to version 6.11.0 installed as a component of cPanel & WHM

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References