CVE-2026-47365

CRITICAL

Webpros WordPress-Toolkit < 6.11.0 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Title source: rule

Description

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

References (1)

Core 1

Core References

https://support.cpanel.net/hc/en-us/articles/41004584983703-WP-Toolkit-CVE-2026-47365

Scores

CVSS v3 9.9

EPSS 0.0036

EPSS Percentile 28.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-88

Status published

Products (1)

WebPros/WordPress-Toolkit < 6.11.0

Published Jun 12, 2026

Tracked Since Jun 12, 2026