Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
The CWE-88 (argument injection) vulnerability occurs because input supplied by an authenticated user is improperly sanitized before being passed as arguments to the wp-toolkit CLI interface. An attacker can inject additional arguments that change the command execution context — as a result, the operation is performed on another tenant's account, bypassing account isolation mechanisms in the cPanel & WHM environment. No user interaction or elevated privileges are required — only possession of any authenticated account is necessary.
An attacker can execute arbitrary wp-toolkit CLI commands as another account on the system, leading to complete takeover of another tenant's WordPress site, data theft, file modification, and potential further lateral movement in the hosting environment.
Update WordPress Toolkit to version 6.11.0 or later. Detailed information is available in the official cPanel security bulletin at the reference provided: https://support.cpanel.net/hc/en-us/articles/41004584983703-WP-Toolkit-CVE-2026-47365
WordPress Toolkit prior to version 6.11.0 installed as a component of cPanel & WHM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H