Wp2 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/wp2/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000WebPros cPanel & WHM and WP2 Authentication Bypass Vulnerability (CVE-2026-41940)https://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel & WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.

Attack Chain

  1. The attacker identifies a vulnerable cPanel & WHM or WP2 instance.
  2. The attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.
  3. The request is sent to the target server, bypassing authentication checks.
  4. The server incorrectly processes the request, granting the attacker an authenticated session.
  5. The attacker leverages the authenticated session to access administrative interfaces and settings.
  6. The attacker modifies server configurations, potentially creating new administrative accounts.
  7. The attacker installs malicious plugins or software through the control panel.
  8. The attacker achieves full control over the web server and hosted websites.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel & WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel & WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.

Recommendation

  • Apply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.
  • Deploy the Sigma rule “Detect cPanel/WHM Authentication Bypass Attempt” to identify potential exploitation attempts in web server logs.
  • If mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.
  • Consider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.
]]>criticaladvisorycpanelwhmwp2wordpressauthentication-bypasscve-2026-41940initial-access