CVE-2026-47365 CRITICAL

CVE-2026-47365

Vendor Webpros
Product WordPress-Toolkit
Weakness CWE-88
Published June 12, 2026
Last update June 12, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

Explanation of Vulnerability in Simple Terms

02Summary

WordPress-Toolkit versions before 6.11.0 contain a privilege escalation vulnerability. An authenticated user with low privileges can modify site configuration, user accounts, or plugin settings across the entire WordPress installation. The vulnerability requires network access and valid login credentials but no additional user interaction. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Escalate privileges to modify site configuration, users, and plugins across the entire WordPress installation.

Potential impact on your site

04Site Impact

Any logged-in user, even with minimal permissions, can take control of site settings, create admin accounts, or disable security features.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low-level privileges and network access.

Key dates

06Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated