CVE-2026-41940: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Summary
A critical authentication bypass vulnerability exists in WebPros cPanel & WHM and WP2 (WordPress Squared), allowing unauthenticated remote attackers to gain unauthorized access. This vulnerability affects the login flow and could lead to unauthorized control panel access. Users are advised to apply vendor-provided mitigations or discontinue product use if mitigations are unavailable.
IFF Assessment
This vulnerability allows attackers to bypass authentication and gain unauthorized access to critical control panel functions, posing a significant risk to system security.
Severity
The vulnerability allows for unauthorized remote access, leading to a high impact on system integrity and confidentiality. The attack vector is network-based, and the complexity is low, making it highly exploitable.
CISA KEV: Listed as actively exploited. Federal patch due: May 03, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability represents a serious threat as it enables unauthenticated remote attackers to compromise control panels. Defenders should prioritize applying vendor patches or implementing alternative security measures immediately, especially for cloud services covered by BOD 22-01 guidance. The potential for unauthorized access highlights the importance of regular vulnerability scanning and prompt remediation.