Security Advisory - Published 2026-06-12 - cPanel / WP Toolkit

cPanel WP Toolkit CVE-2026-47365: check version, tenants, and wp-toolkit activity

CVE-2026-47365 affects WP Toolkit before 6.11.0 when used in cPanel & WHM. The exposed boundary is serious for shared hosting: an authenticated user may be able to run WP Toolkit CLI actions as another account. Hosts should patch quickly and review cross-account WordPress actions before closing the incident.

Defensive scope: this page is for servers you own or administer. It does not include argument strings, bypass details, or tests against third-party cPanel accounts.

Who should check

  • Shared hosting providers running cPanel & WHM with WP Toolkit installed.
  • Agencies managing several customer cPanel accounts on one server.
  • VPS owners who installed WP Toolkit and allow more than one cPanel user.
  • MSPs that delegate WordPress management to client logins.

10-minute self-check

Check WP Toolkit version

/usr/local/cpanel/3rdparty/bin/wp-toolkit --version 2>/dev/null
rpm -qa | grep -i wp-toolkit
grep -Rni "wp-toolkit" /usr/local/cpanel /var/cpanel 2>/dev/null | head -50

Any WP Toolkit version lower than 6.11.0 should be treated as affected. If the binary path is missing, confirm from WHM's WP Toolkit interface and the package manager before assuming the server is clean.

Check cPanel update state

/usr/local/cpanel/cpanel -V
/usr/local/cpanel/scripts/upcp --help | head
/usr/local/cpanel/scripts/check_cpanel_rpms --list-only 2>/dev/null | grep -i wp

Do not rely on the WHM dashboard alone. Confirm what is installed on the host and what update channel the server is using, especially if updates are pinned.

Review cross-account changes

grep -Rni "wp-toolkit\\|wordpress toolkit" /usr/local/cpanel/logs /var/cpanel/logs 2>/dev/null | tail -200
find /home -maxdepth 3 -name wp-config.php -mtime -3 -print 2>/dev/null | head -100

Look for WordPress management actions on accounts that the requesting user should not control, new plugin installs, unexpected admin users, theme edits, or modified wp-config.php files.

Safe fix path

  1. Update WP Toolkit to 6.11.0 or newer through the supported cPanel update path.
  2. Keep a copy of relevant cPanel and WP Toolkit logs before cleaning up accounts.
  3. Review every cPanel account that shares the host with untrusted users.
  4. Rotate WordPress admin passwords and API keys for sites with suspicious changes.
  5. Confirm WP Toolkit reports the fixed version after the update finishes.

Signs that need deeper review

  • WP Toolkit activity touching an account that does not match the logged-in cPanel user.
  • New WordPress administrator accounts, plugins, mu-plugins, or modified themes.
  • Unexpected file changes under another tenant's public_html.
  • Recent backups, clones, or security scan actions triggered by unknown users.

Ping7 repair path

Ping7 can review WP Toolkit version state, tenant boundaries, cPanel logs, WordPress admin users, plugin changes, and post-patch verification. Use CVE Repair and include the server OS, cPanel version, WP Toolkit version, and whether this is shared hosting.

References