CVE-2026-41940 - WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Project:WebPros
Product:cPanel & WHM and WP2 (WordPress Squared)
Date Added:2026-04-30Due Date:2026-05-03
Vulnerability Name
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Description
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Known To Be Used in Ransomware Campaigns?
Known
Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
https://docs.cpanel.net/release-notes/release-notes/
https://docs.wpsquared.com/changelogs/versions/changelog/#13617
https://nvd.nist.gov/vuln/detail/CVE-2026-41940"
Related News Articles
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as RootMay 23, 2026
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager BackdoorMay 12, 2026
cPanel, WHM Release Fixes for Three New Vulnerabilities β Patch NowMay 9, 2026
Multiple threat actors actively exploit cPanel vulnerability (CVE-2026-41940)May 4, 2026
Critical cPanel Vulnerability Weaponized to Target Government and MSP NetworksMay 4, 2026