An argument injection flaw in WordPress Toolkit versions prior to 6.11.0 allows an authenticated user who has access to the cPanel or WHM interface to craft requests that bypass cross‑tenant authorization checks. The flaw can be exploited to run any wp‑toolkit CLI command as another account, giving the attacker the ability to modify, delete, or exfiltrate content owned by that account and potentially execute arbitrary system commands. This results in complete loss of confidentiality, integrity, and availability for affected website owners.

The vulnerability affects the WordPress Toolkit product from WebPros that is integrated into cPanel and WHM. All installations that are using WordPress Toolkit 6.10.x or earlier are impacted. The issue does not apply to WordPress Toolkit 6.11.0 and later, where the command arguments are properly validated and the cross‑tenant check has been reinforced. The assertion that all installations using WordPress Toolkit 6.10.x or earlier are impacted is inferred from the description that the flaw exists in versions before 6.11.0.

The CVSS score of 9.9 reflects a full remote code execution capability that requires authentication but not privileged local access. EPSS is currently unavailable, but the lack of a known community exploitation does not diminish the inherent risk posed by this flaw. The vulnerability is not listed in the CISA KEV catalog, yet the severity and the vendor's recommendation to upgrade imply that a timely response is critical. An attacker who owns a legitimate account on a hosted site or can obtain one through phishing can immediately use the exploit, making the attack vector remote authenticated.