HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-47365Published Modified CNA hackerone

CVE-2026-47365: Argument injection vulnerability in WordPress Toolkit before 6

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
6.11.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An argument injection vulnerability in WordPress Toolkit before version 6.11.0 (as used in cPanel and WHM) allows a remote authenticated user to inject malicious arguments into wp-toolkit CLI commands, bypassing the cross-tenant authorization that normally keeps hosting accounts isolated from one another. The attack is reachable over the network and requires only a low-privilege account, with no additional victim interaction needed. Successful exploitation gives the attacker full read, write, and denial-of-service capability over other tenants' WordPress installations. A patched-image rebuild at version 6.11.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-47365 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle WordPress Toolkit or cPanel/WHM components.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and weights it against each customer environment's configured compliance policy, surfacing it to the appropriate team inbox based on severity thresholds and ownership mappings defined within that organization.

Available
Patch

A patched-image rebuild at WordPress Toolkit 6.11.0 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against the resulting image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; the attacker sends crafted requests to the WordPress Toolkit API or web interface from a remote location.

  • AuthenticationRequired

    A low-privilege account on any tenant of the hosting environment is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    No action by another user or administrator is required to complete the attack.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed.

Blast Radius

  • Reads all files, database contents, and credentials (including stored API keys and session tokens) belonging to any WordPress installation on the affected hosting server, across tenant boundaries.
  • Writes or overwrites WordPress files, database rows, and configuration on targeted tenants, enabling content modification, backdoor implantation, or privilege escalation within those sites.
  • Executes arbitrary wp-toolkit CLI commands as another account, meaning an attacker can install or remove plugins, create admin users, and alter site settings on tenants they do not own.
  • Crashes or degrades WordPress sites on the same server by issuing destructive CLI commands, causing service disruption for all affected tenants.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47365 is active the moment the advisory enters upstream feeds, with matching running against all registered images including cPanel/WHM-derived and WordPress-Toolkit-bundled base images. Where a scanned image is found to carry a WordPress Toolkit version below 6.11.0, a rebuilt image at the patched version becomes available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression test run against the new image, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is routed to the configured owner inbox with full CVSS detail and fix-version guidance so the team can act manually. Given the cross-tenant nature of this vulnerability, customers running multi-tenant hosting infrastructure should treat remediation as urgent regardless of auto-remediation settings.

See how HarborGuard automates this

Fix available

6.11.0
Affected packages
  • WebPros / WordPress-Toolkit
    < 6.11.0 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References