CVE-2026-47365 | THREATINT

Description

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-12 | Updated 2026-06-12 | Assigner hackerone

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Product status

Default status

unaffected

Any version before 6.11.0

affected

Credits

Georgii Shutiaev reporter

References

support.cpanel.net/...004584983703-WP-Toolkit-CVE-2026-47365

cve.org (CVE-2026-47365)

nvd.nist.gov (CVE-2026-47365)

Download JSON