CVE-2026-47365
Received Received - Intake
WordPress Toolkit Argument Injection in cPanel & WHM

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: HackerOne

Description
Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47365
EUVD
EUVD-2026-36376
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_toolkit wp_toolkit to 6.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47365 is an argument injection vulnerability in WP Toolkit versions before 6.11.0 when used in cPanel & WHM environments.

This flaw allows remote authenticated users to bypass cross-tenant authorization controls and execute arbitrary WP Toolkit CLI commands with the privileges of another account.

Essentially, an attacker who is authenticated can perform actions as if they were another user, potentially compromising other tenants on the same server.

Impact Analysis

This vulnerability can have severe impacts on affected systems.

  • Remote authenticated attackers can bypass authorization boundaries between tenants.
  • Attackers can execute arbitrary WP Toolkit CLI commands as another user, potentially leading to unauthorized access or control over other accounts.
  • This can result in data compromise, service disruption, or further exploitation within a multi-tenant cPanel server environment.

To mitigate these risks, it is critical to update WP Toolkit to version 6.11.0 or later.

Mitigation Strategies

To mitigate the risk of CVE-2026-47365, administrators must update WP Toolkit to version 6.11.0 or later.

The recommended update command for root users is:

  • # /usr/local/cpanel/3rdparty/wp-toolkit/bin/wp-toolkit-installer.sh --version 6.11.0

If the above command fails, an alternative method is to run:

  • # bash <(curl https://wp-toolkit.plesk.com/cPanel/installer.sh || wget -O - https://wp-toolkit.plesk.com/cPanel/installer.sh ) --version 6.11.0
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47365. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart