What the vulnerability does
01Description
Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
Explanation of Vulnerability in Simple Terms
02Summary
WordPress-Toolkit versions before 6.11.0 contain a privilege escalation vulnerability. An authenticated user with low privileges can modify site configuration, user accounts, or plugin settings across the entire WordPress installation. The vulnerability requires network access and valid login credentials but no additional user interaction. Sites running affected versions should update immediately.
What an attacker can do
03Attacker Capabilities
Escalate privileges to modify site configuration, users, and plugins across the entire WordPress installation.
Potential impact on your site
04Site Impact
Any logged-in user, even with minimal permissions, can take control of site settings, create admin accounts, or disable security features.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level privileges and network access.
Key dates
06Disclosure timeline
June 12, 2026
CVE published
June 12, 2026
Record updated