critical

Argument Injection in WordPress Toolkit before 6.11.0 (cPanel & WHM) — CVE-2026-47365

critical-cve-against-dependency · active

An argument injection flaw in WordPress Toolkit before 6.11.0, as used in cPanel & WHM, lets remote authenticated users bypass cross-tenant authorization and run arbitrary wp-toolkit CLI commands as another account. Update WordPress Toolkit to 6.11.0 or later.

Affected packages

packagistwp-toolkitupgrade to ≥ 6.11.0

Sources

ghsahttps://github.com/advisories/GHSA-h8q3-g2vj-75c6
nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-47365
google-searchhttps://support.cpanel.net/hc/en-us/articles/41004584983703-WP-Toolkit-CVE-2026-47365