CVE-2026-47365

CRITICAL NVD

CVSS Score 9.9

Severity CRITICAL

Published Jun 12, 2026

Vendor unknown

Description

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

References

https://support.cpanel.net/hc/en-us/articles/41004584983703-WP-Toolkit-CVE-2026-47365