Introduction
A single authenticated cPanel account on a shared hosting server can now compromise every other tenant's WordPress installations, thanks to an argument injection flaw in WP Toolkit that shatters cross-tenant isolation. CVE-2026-47365, scored at CVSS 9.9 by HackerOne, allows any remote authenticated cPanel user to inject arguments into the wp-toolkit CLI and execute commands as a different account on the same server.
WP Toolkit is a cPanel and Plesk plugin that provides centralized management of WordPress installations, including mass operations on sites, plugins, and themes. It ships as a third-party component within cPanel & WHM and is widely deployed across the shared hosting industry, where cPanel holds an estimated 94.10% market share among web hosting control panels according to 6sense. Because WP Toolkit operates with elevated privileges to manage WordPress instances across tenant boundaries, a flaw in its argument handling has outsized consequences for multi-tenant environments.
Technical Information
Root Cause: CWE-88 Argument Injection
CVE-2026-47365 is classified under CWE-88: Improper Neutralization of Argument Delimiters in a Command. This weakness occurs when software constructs a command string for execution but fails to properly delimit the intended arguments, options, or switches within that command string.
CWE-88 is distinct from the more commonly encountered CWE-78 (OS Command Injection). Argument injection does not require shell metacharacters such as semicolons, pipes, or backticks. Instead, it leverages argument-separating characters like whitespace or dashes to inject unintended options or switches that alter the command's behavior. The MITRE CWE entry provides a canonical example: a Perl routine validates filenames against a pattern like /^[\w\-]+$/ and passes them to /bin/ls -l $fname. An attacker can inject an argument such as -l /etc/passwd to override the intended behavior without using any shell metacharacters. The same principle applies to CVE-2026-47365.
The vulnerability resided in how WP Toolkit handled arguments passed to its internal CLI layer. Prior to version 6.11.0, user-controlled input was not properly neutralized for argument delimiters before being passed into wp-toolkit CLI command construction. This meant a crafted request could inject additional arguments or switches into the CLI invocation, and critically, those injected arguments could cause the command to execute in the context of a different cPanel tenant account.
CVSS Breakdown
The CVSS 3.1 vector string scored by HackerOne (the CNA for this CVE) is:
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H = 9.9 CRITICAL
The Changed scope (S:C) is the key element here. It reflects the fact that exploitation crosses the tenant authorization boundary, impacting resources beyond the attacker's own security scope. The attack requires low privileges (any authenticated cPanel account), no user interaction, and low attack complexity, all over the network.
Note that the NVD CVSS 4.0 assessment is listed as "N/A" with the note "NVD assessment not yet provided," so the official NVD severity may evolve.
Attack Flow
The exploitation chain proceeds in three stages:
-
Authentication: The attacker authenticates to cPanel with any valid account credentials on the target server. This is the only prerequisite. In a shared hosting environment, every paying customer has such credentials.
-
Argument Injection: The attacker crafts input containing additional argument delimiters or switches and submits it through the WP Toolkit interface. Because the toolkit does not properly sanitize these delimiters before constructing the CLI command, the injected arguments become part of the executed command.
-
Cross-Tenant Execution: The injected arguments cause the
wp-toolkitCLI command to execute in the context of a different cPanel tenant account, bypassing the authorization boundary that should prevent one account from acting on another's WordPress installations.
Impact
A successful exploit enables an attacker to perform any operation that the wp-toolkit CLI supports, but targeting another tenant's WordPress sites. This could include:
- Installing malicious plugins or themes on the victim's WordPress sites
- Modifying site configurations (including admin credentials)
- Extracting database credentials stored in
wp-config.php - Achieving arbitrary code execution within the victim's WordPress environment
In shared hosting environments, where dozens or hundreds of accounts may coexist on a single server, a single compromised or malicious tenant could cascade into a server-wide breach.
Chaining Potential with CVE-2026-41940
A particularly concerning scenario involves chaining this vulnerability with CVE-2026-41940, the April 2026 cPanel authentication bypass (CVSS 9.8) that was actively exploited as a zero-day for months. An attacker who first exploits CVE-2026-41940 to gain unauthenticated access to a cPanel account could then leverage CVE-2026-47365 to escalate across tenant boundaries. This combination would effectively allow unauthenticated remote attackers to achieve cross-tenant WordPress site compromise on shared hosting servers where both vulnerabilities remain unpatched. While this chain has not been observed in the wild, it represents a realistic threat model given the documented exploitation of CVE-2026-41940 and the availability of public proof-of-concept code for it.
Patch Information
The fix is included in WP Toolkit version 6.11.0, which eliminates the argument injection flaw by properly sanitizing and validating argument delimiters before they reach the CLI execution path. This ensures that a user's commands remain scoped to their own tenant. The prior release, WP Toolkit 6.10.1 (released April 15, 2026), remains vulnerable.
WP Toolkit ships as a third-party component within cPanel & WHM and follows its own versioning and release cycle, independent of the core cPanel version. Upgrading to 6.11.0 is the sole remediation path; no separate hotfix or configuration workaround exists.
cPanel's official advisory provides two methods for applying the update. The primary method, run as root:
/usr/local/cpanel/3rdparty/wp-toolkit/bin/wp-toolkit-installer.sh --version 6.11.0
If the local installer script is unavailable or non-functional, an alternative method fetches the installer directly from the upstream distribution:
bash <(curl https://wp-toolkit.plesk.com/cPanel/installer.sh || wget -O - https://wp-toolkit.plesk.com/cPanel/installer.sh) --version 6.11.0
Community reports on Reddit indicate that some administrators experienced long execution times when running the primary upgrade command on servers with WP Toolkit 6.10.1 installed. Administrators should plan for potential extended patching windows on servers with large WordPress inventories.
After applying the patch, verify the installed WP Toolkit version has been updated to 6.11.0 or higher. If patching must be delayed, consider temporarily disabling the WP Toolkit plugin to reduce the attack surface, though this approach has not been officially endorsed by cPanel.
Affected Systems and Versions
The vulnerability impacts any cPanel server, on any operating system, that has WP Toolkit installed at a version lower than 6.11.0. This includes all cPanel deployments across all supported operating systems (CentOS, AlmaLinux, Ubuntu, and others).
| Attribute | Value |
|---|---|
| Vulnerable Component | WP Toolkit before 6.11.0 |
| Platform | cPanel & WHM (all supported operating systems) |
| Last Vulnerable Version | WP Toolkit 6.10.1 (released April 15, 2026) |
| Fixed Version | WP Toolkit 6.11.0 |
| Attack Prerequisite | Valid cPanel account credentials on the target server |
Vendor Security History
2026 has been a challenging year for cPanel's security posture, with multiple critical vulnerabilities disclosed in rapid succession:
| CVE | Date | CVSS | Description | Exploitation Status |
|---|---|---|---|---|
| CVE-2026-41940 | Apr 28, 2026 | 9.8 | Authentication bypass in cPanel/WHM login (CRLF injection) | Actively exploited as zero-day for months; 1.5M+ instances affected |
| CVE-2026-32993 | May 13, 2026 | High | Unauthenticated HTTP header injection via cpsrvd endpoint | No known exploits at time of disclosure |
| CVE-2026-29205 | May 13, 2026 | High | Arbitrary file read via cpdavd (incorrect privilege drop and path filtering) | No known exploits at time of disclosure |
| CVE-2026-47365 | Jun 12, 2026 | 9.9 | Argument injection in WP Toolkit (cross-tenant auth bypass) | No known exploits as of disclosure |
The CVE-2026-41940 incident is particularly relevant context. That vulnerability was actively exploited as a zero-day for months before cPanel disclosed it on April 28, 2026. CyberScoop reported widespread exploitation, with Picus Security documenting over 1.5 million cPanel instances affected. Threat activity surged following disclosure, including brute force attacks and ransomware deployment. A public proof-of-concept was available.
CVE-2026-47365 was reported through cPanel's HackerOne bug bounty program, indicating it was discovered through coordinated disclosure rather than being found in the wild. This is a positive signal about cPanel's engagement with the security research community, though the frequency and severity of recent disclosures suggest underlying code quality concerns that warrant attention.
cPanel maintains a Security Bounty Program to reward researchers who follow responsible disclosure principles.
References
- cPanel Official Advisory: WP Toolkit CVE-2026-47365
- NVD Entry: CVE-2026-47365
- cPanel Release Notes
- CWE-88: Improper Neutralization of Argument Delimiters in a Command
- cPanel Security Advisory: CVE-2026-41940
- Cybersecurity Dive: Critical vulnerability in cPanel leads to widespread exploitation
- SecurityWeek: Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months
- Rapid7: CVE-2026-41940 cPanel & WHM Authentication Bypass
- Picus Security: CVE-2026-41940 Explained
- CyberScoop: cPanel's authentication bypass bug is being exploited in the wild
- cPanel Documentation: Install WP Toolkit
- 6sense: cPanel Market Share in Web Hosting Control Panel
- cPanel HackerOne Response Policy
- cPanel Security Bounty Program
- Reddit Discussion: WP Toolkit CVE-2026-47365
- CISA Known Exploited Vulnerabilities Catalog
- cPanel Wikipedia Entry



