CVE-2026-47365: WordPress Toolkit Argument Injection in cPanel & WHM

Executive Summary

A critical argument injection vulnerability (CVE-2026-47365) has been disclosed in WordPress Toolkit before version 6.11.0 as deployed within cPanel & WHM hosting control panels. With a CVSS score of 9.9 (Critical), this flaw allows remote authenticated users to bypass cross-tenant authorization controls and execute arbitrary wp-toolkit CLI commands in the context of another hosting account.

CVSS Score: 9.9 (Critical) Published: 2026-06-12 Status: Patch available — upgrade to WordPress Toolkit 6.11.0 or later

In shared hosting environments where cPanel & WHM is used, this vulnerability enables one tenant to issue privileged wp-toolkit CLI commands against another tenant's WordPress installations — a severe multi-tenancy security breach.

Vulnerability Overview

Affected Products

WordPress Toolkit is a cPanel & WHM plugin used by millions of shared and reseller hosting accounts to manage WordPress installations through an integrated control panel interface.

Technical Details

What Is Argument Injection?

Argument injection occurs when user-supplied input is passed to a command-line tool without proper sanitization, allowing an attacker to inject additional CLI flags or subcommands. Unlike command injection (which allows running arbitrary OS binaries), argument injection abuses the target application's own CLI by appending unexpected flags that alter command behavior.

How CVE-2026-47365 Works

In WordPress Toolkit's integration with cPanel & WHM, the plugin constructs wp-toolkit CLI invocations using account identifiers supplied over the network. The authorization check verifying that the calling user owns the target account can be bypassed by crafting an argument that references a different account's identifier.

1. Authenticated attacker (Account A) sends a crafted request to WordPress Toolkit API
2. Request includes injected arguments referencing Account B's wp-toolkit context
3. WordPress Toolkit constructs wp-toolkit CLI call without sufficient cross-tenant validation
4. wp-toolkit CLI executes with Account B's context
5. Attacker can enumerate, modify, or take over Account B's WordPress installations

Why CVSS 9.9?

The near-maximum score reflects:

• Low privilege required — any authenticated hosting account can exploit this
• No user interaction — fully remote, no victim action needed
• Cross-tenant impact — complete confidentiality, integrity, and availability compromise of affected WordPress installations across tenant boundaries

Impact Assessment

Recommendations

Immediate Actions

1. Update WordPress Toolkit to version 6.11.0 or later via the cPanel & WHM plugin manager
2. Audit access logs for unusual cross-account wp-toolkit invocations
3. Verify tenant isolation is enforced at the server level (filesystem permissions, PHP-FPM pools)

For Hosting Providers

- Apply the update during the next maintenance window (or immediately for public-facing servers)
- Review API gateway logs for requests with cross-account argument patterns
- Notify affected tenants if suspicious cross-tenant activity is detected
- Consider temporary rate-limiting or WAF rules for the WordPress Toolkit API endpoint

Detection Signals

Post-Remediation Checklist

1. Confirm WordPress Toolkit is updated to 6.11.0+ on all cPanel & WHM servers
2. Review web server access logs for unusual API patterns before the patch date
3. Check all WordPress installations for unauthorized admin accounts or plugins
4. Verify PHP-FPM / suPHP isolation is correctly configured per tenant
5. Update security documentation and notify tenants as appropriate per your breach notification policy

References

• NIST NVD — CVE-2026-47365
• cPanel Security Advisories
• WordPress Toolkit Documentation