CVE detail
CVE-2026-41940: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Source: CISA Known Exploited Vulnerabilities catalog · back to feed
Vendor / product
WebPros · cPanel & WHM and WP2 (WordPress Squared)
- Date added (KEV)
- Apr 30, 2026
- CISA due date
- May 03, 2026
- Ransomware campaign use
- Known
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vendor fix: Vendor advisory
Scorifya interpretation
AI-generatedA short, structured read of the record above — generated when this page first loads, then cached for a week.
Plain English
Technical detail
From CISA
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/versions/changelog/#13617 ; https://nvd.nist.gov/vuln/detail/CVE-2026-41940"
References
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026Vendor Advisory
- https://docs.cpanel.net/release-notes/release-notesRelease Notes
- https://docs.wpsquared.com/changelogs/versions/changelog/#13617Release Notes
- https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026Third Party Advisory
- https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flowThird Party Advisory
Check your domain's public posture
Scorifya doesn't test for specific CVEs, but if patching WebPros changed your headers or TLS, a fresh hardening scan helps confirm nothing regressed externally.