{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-squared/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cPanel","WHM","WP Squared"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","cpanel","whm","wp squared","linux"],"_cs_type":"advisory","_cs_vendors":["cPanel"],"content_html":"\u003cp\u003eA vulnerability has been discovered in WHM, cPanel, and WP Squared, which are Linux-based web hosting control panels commonly used for server and website management. This vulnerability could allow unauthenticated remote attackers to bypass authentication mechanisms. By exploiting this flaw, attackers can gain unauthorized administrative access to the affected systems. This level of access could allow them to inject malicious code and achieve remote code execution. The impact of successful exploitation is significant, as it allows attackers to fully compromise the target system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUnauthenticated attacker sends a specially crafted request to a vulnerable cPanel, WHM, or WP Squared endpoint.\u003c/li\u003e\n\u003cli\u003eThe request exploits an authentication bypass vulnerability, allowing the attacker to proceed without valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized administrative access to the web hosting control panel.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the administrative access to upload a malicious PHP script to a writable directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to execute the uploaded PHP script.\u003c/li\u003e\n\u003cli\u003eThe PHP script executes arbitrary commands on the underlying Linux operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to maintain persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further reconnaissance, lateral movement, or data exfiltration based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers full control over the affected web hosting servers. This can lead to complete compromise of hosted websites, data theft, defacement, or the deployment of further malicious payloads. Given the wide use of cPanel, WHM, and WP Squared among web hosting providers, a large number of servers and websites are potentially at risk. The impact includes significant financial losses, reputational damage, and potential legal liabilities for both the hosting providers and their clients.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates provided by cPanel to remediate the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious PHP Upload via cPanel\u003c/code\u003e to identify potential malicious PHP script uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to cPanel endpoints, focusing on unusual parameters or authentication attempts, as covered by the Sigma rule \u003ccode\u003eDetect Cpanel Authentication Bypass Attempts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised cPanel server on other internal systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T16:20:57Z","date_published":"2026-05-04T16:20:57Z","id":"/briefs/2026-05-cpanel-rce/","summary":"A vulnerability exists in WHM, cPanel, and WP Squared, Linux-based web hosting control panels, which could allow for remote code execution by bypassing authentication and gaining administrative access.","title":"WHM, cPanel, and WP Squared Vulnerability Allows Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-cpanel-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — WP Squared","version":"https://jsonfeed.org/version/1.1"}