clayton@site:~/news$ cat cve-2026-41940-webpros-cpanel-whm-and-wp2-wordpress-squared.log

CVE-2026-41940 — WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

2026-04-30 • CISA Known Exploited Vulnerability

[event] WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

> AFFECTED SOFTWARE

Field	Value
Vendor	WebPros
Product	cPanel & WHM and WP2 (WordPress Squared)
CWE	CWE-306
CVE ID	CVE-2026-41940
Date Added	2026-04-30
Due Date	2026-05-03
Ransomware Campaign	Known — this vulnerability has been leveraged in ransomware campaigns

> MITIGATION

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Due Date: 2026-05-03

> REFERENCES

[1] https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-...
[2] https://docs.cpanel.net/release-notes/release-notes/
[3] https://docs.wpsquared.com/changelogs/versions/changelog/#13617
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-41940