WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Quick answer
WebPros cPanel & WHM and WP2 (WordPress Squared) should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Review vendor advisory for affected versions.
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CVE-2026-41940 is an authentication bypass in cPanel & WHM and WP2. Because unauthenticated access to the control panel can lead to full hosting compromise, update immediately to a patched cPanel & WHM branch and WP2 136.1.7 or later where WP2 is used. After updating, restart cPanel services, run the vendor detection guidance, and rotate privileged credentials and tokens.
- Identify all cPanel, WHM, DNSOnly, and WP2 servers and record the installed branch/build.
- Run /scripts/upcp --force or the approved hosting control panel update process to reach a patched cPanel & WHM build for the installed branch.
- Update WP2 installations to version 136.1.7 or later if WP2 is installed.
- Restart cpsrvd after the update and confirm /usr/local/cpanel/cpanel -V reports a patched build.
- Run the vendor-provided detection script or recommended checks from the cPanel advisory.
- Rotate root, WHM, reseller, API token, integration, and hosting account credentials if the server was exposed.
- Review cPanel logs, session files, account changes, new SSH keys, cron jobs, and modified hosted sites for indicators of compromise.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the server reports a patched cPanel & WHM build and WP2 136.1.7 or later where applicable.
- Verify cpsrvd restarted successfully and login flows still work for legitimate administrators.
- Confirm the detection script or manual checks do not show suspicious session or logbook artifacts.
- Review privileged account and API token inventory for unexpected entries.
- Run a Fixnx scan against hosted public sites after updating and cleanup.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-41940?
WebPros cPanel & WHM and WP2 (WordPress Squared) should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
