CVE-2026-47365 cPanel CVE debrief

Who should care

System administrators managing cPanel & WHM servers with WP Toolkit installed; hosting providers operating multi-tenant cPanel environments; security teams responsible for patch management and tenant isolation in shared hosting infrastructure.

Technical summary

WP Toolkit versions prior to 6.11.0 contain an argument injection flaw that enables authenticated cPanel users to craft malicious input passed to wp-toolkit CLI commands. This injected input bypasses cross-tenant authorization controls, allowing command execution as a different account on the same server. The vulnerability affects all cPanel server operating systems with the vulnerable WP Toolkit version installed. The fix in version 6.11.0 corrects input handling to prevent unauthorized argument injection and cross-tenant command execution.

Defensive priority

high

Recommended defensive actions

• On all cPanel servers with WP Toolkit installed, verify the current wp-toolkit version. If below 6.11.0, schedule maintenance to run the vendor-provided installer script as root to update to version 6.11.0.
• After updating, confirm the installed version by checking wp-toolkit output or package metadata.
• Review server logs for anomalous wp-toolkit CLI execution patterns, particularly commands run outside expected user contexts, focusing on the period prior to patching.
• Restrict cPanel account access where possible and enforce least-privilege principles to reduce exposure from authenticated attack vectors.
• If indicators of unauthorized cross-tenant command execution are found, initiate incident response procedures to assess potential account compromise or data access.

Evidence notes

The vulnerability description, affected versions, and remediation command are derived from the official cPanel support article identified as a vendor_official_source with high confidence.

Official resources