Description
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the create_user plugin allows an authenticated user to supply an unvalidated value for the plugin parameter, causing the plugin to execute arbitrary Perl code as the system user of the cPanel account. The weakness is an input validation defect combined with a code execution vulnerability (CWE‑94), which could compromise confidentiality, integrity, and availability of the entire host. The description emphasizes that the parameter is not checked before execution and that the attacker can control the payload.

Affected Systems

The vulnerability affects WebPros cPanel deployments, including installations on CentOS 6, CloudLinux 6, and the WP Squared component that interfaces with the create_user plugin. Versions that have not applied the missing input validation fix are vulnerable; vendor documentation does not list specific affected cPanel releases.

Risk and Exploitability

Exploitation requires a valid authenticated cPanel session that can access the create_user interface. The EPSS score below 1% indicates a low probability of exploitation in the wild, and the CVSS score of 5.3 reflects moderate severity. The vulnerability is not listed in CISA’s KEV catalog, but the potential impact on a compromised account warrants timely patching. Based on the description, it is inferred that the attack vector is an authenticated user session within cPanel, requiring prior compromise of login credentials, and the attack path is straightforward once those credentials are obtained, as the plugin processes the parameter without validation and executes it directly.

Generated by OpenCVE AI on May 13, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cPanel to a version that includes the input validation fix for the create_user plugin, or apply the official security update released by WebPros.
  • If an immediate patch is not feasible, remove or disable the vulnerable create_user plugin to block the execution path until the fix is applied.
  • Audit cPanel configuration to ensure the plugin parameter accepts only predefined values or is otherwise restricted, and monitor logs for anomalous plugin activity that might indicate an attempt to inject Perl code.

Generated by OpenCVE AI on May 13, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Unvalidated Plugin Parameter Enables Arbitrary Perl Code Execution in cPanel

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Tue, 12 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unvalidated Plugin Parameter Enables Arbitrary Perl Code Execution in cPanel

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Perl Code Execution via Unvalidated Plugin Parameter in cPanel create_user

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros cpanel (centos 6, Cloudlinux 6)
Webpros wp Sqaured
Vendors & Products Webpros
Webpros cpanel
Webpros cpanel (centos 6, Cloudlinux 6)
Webpros wp Sqaured

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Arbitrary Perl Code Execution via Unvalidated Plugin Parameter in cPanel create_user

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Weaknesses CWE-20
References

Subscriptions

Webpros Cpanel Cpanel (centos 6, Cloudlinux 6) Wp Sqaured
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-13T22:03:15.187Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29202

cve-icon Vulnrichment

Updated: 2026-05-08T19:21:45.443Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T19:16:30.047

Modified: 2026-05-13T22:16:42.663

Link: CVE-2026-29202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T00:00:07Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')