WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Details
CVSS v3
9.8
CVSS v4
9.3
NVD published
2026-04-29 16:16:25
CISA date
2026-04-30
EPSS
67.0% probability · 98.6th percentile — 2026-05-12
Affected versions
All unpatched versions of WebPros cPanel & WHM and WP2 (WordPress Squared)
Summary
This vulnerability enables unauthenticated remote attackers to bypass authentication in the login flow of cPanel & WHM and WP2. Attackers can gain full unauthorized access to the system control panel without valid credentials. The issue is confirmed known exploited and is officially listed in the CISA KEV catalog.
Remediation
Immediately apply the latest official security patches from WebPros for affected products. Restrict public access to the control panel from untrusted networks until patching is fully completed. Follow any additional guidance provided by CISA for known exploited vulnerabilities.
Exploit info
This exploit has been recorded in <strong>CISA KEV</strong> (CISA Known Exploited Vulnerabilities catalog, dateAdded 2026-04-30). You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.