Description
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
Published: 2026-05-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper authorization checks of team members privileges allow a team member to elevate privileges to the team owner account. This vulnerability is a classic privilege escalation scenario, where an authenticated user can acquire read and administrative rights normally reserved for the team owner. The weakness is identified as CWE‑863, an improper authorization flaw that can compromise confidentiality, integrity, and availability of team resources.

Affected Systems

The affected systems are WebPros' WP Squared and cPanel applications, including deployments on CloudLinux 6 and CentOS 6. No specific version details are listed, indicating that multiple releases may share the same flaw. Vulnerability may impact versioned products that are still maintained with WebPros as the vendor.

Risk and Exploitability

The CVSS score of 7.1 denotes a high severity rating, while the EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. An attacker likely needs authenticated access as a team member to exploit this weakness, and the attack vector is inferred to be internal or through a privileged API. The lack of an exploit probability metric suggests limited publicly known exploitation but does not eliminate the potential for targeted attacks that leverage existing access.

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security updates from cPanel and WebPros when available.
  • Review and restrict team member permissions to enforce the principle of least privilege.
  • Enable detailed logging of privileged transactions and monitor for anomalous access patterns.

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros cpanel (cloudlinux 6, Centos 6)
Webpros wp Squared
Wordpress
Wordpress wordpress
Vendors & Products Webpros
Webpros cpanel
Webpros cpanel (cloudlinux 6, Centos 6)
Webpros wp Squared
Wordpress
Wordpress wordpress

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Team Member Privilege Escalation to Team Owner in cPanel and WP Squared

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Webpros Cpanel Cpanel (cloudlinux 6, Centos 6) Wp Squared
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-14T13:11:23.622Z

Reserved: 2026-03-17T15:00:07.746Z

Link: CVE-2026-32991

cve-icon Vulnrichment

Updated: 2026-05-14T13:11:20.357Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T23:16:43.110

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-32991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:07Z

Weaknesses