Description
Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
Published: 2026-06-12
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An argument injection flaw in WordPress Toolkit versions prior to 6.11.0 allows an authenticated user who has access to the cPanel or WHM interface to craft requests that bypass cross‑tenant authorization checks. The flaw can be exploited to run any wp‑toolkit CLI command as another account, giving the attacker the ability to modify, delete, or exfiltrate content owned by that account and potentially execute arbitrary system commands. This results in complete loss of confidentiality, integrity, and availability for affected website owners.

Affected Systems

The vulnerability affects the WordPress Toolkit product from WebPros that is integrated into cPanel and WHM. All installations that are using WordPress Toolkit 6.10.x or earlier are impacted. The issue does not apply to WordPress Toolkit 6.11.0 and later, where the command arguments are properly validated and the cross‑tenant check has been reinforced. The assertion that all installations using WordPress Toolkit 6.10.x or earlier are impacted is inferred from the description that the flaw exists in versions before 6.11.0.

Risk and Exploitability

The CVSS score of 9.9 reflects a full remote code execution capability that requires authentication but not privileged local access. EPSS is currently unavailable, but the lack of a known community exploitation does not diminish the inherent risk posed by this flaw. The vulnerability is not listed in the CISA KEV catalog, yet the severity and the vendor's recommendation to upgrade imply that a timely response is critical. An attacker who owns a legitimate account on a hosted site or can obtain one through phishing can immediately use the exploit, making the attack vector remote authenticated.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WordPress Toolkit to version 6.11.0 or later, which removes the argument injection (CWE‑88) and restores proper cross‑tenant authorization.
  • Audit all user accounts on the server, ensuring that only legitimate administrators have access to cPanel/WHM and revoke any unused or compromised accounts.
  • Enable logging for wp‑toolkit CLI commands and set up alerts for suspicious activity, such as execution of commands from unfamiliar user contexts.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros wordpress-toolkit
Wordpress
Wordpress wordpress
Vendors & Products Webpros
Webpros wordpress-toolkit
Wordpress
Wordpress wordpress

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Authenticated Account Bypass in WordPress Toolkit Enables Arbitrary CLI Execution

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Webpros Wordpress-toolkit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-12T15:34:38.290Z

Reserved: 2026-05-19T15:00:09.320Z

Link: CVE-2026-47365

cve-icon Vulnrichment

Updated: 2026-06-12T15:34:26.632Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T04:17:05.107

Modified: 2026-06-12T16:08:20.803

Link: CVE-2026-47365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:21:18Z

Weaknesses
  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')