CVE-2026-41940: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
CVE-2026-41940 is a Severity not scored in source feed flaw in WebPros cPanel & WHM and WP2 (WordPress Squared). WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. It is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-04-30), meaning it is being actively exploited, including in ransomware campaigns. The fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.
Vulnerability details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-41940 |
| Vulnerability | WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability |
| Vendor / product | WebPros — cPanel & WHM and WP2 (WordPress Squared) |
| CVSS base score | Not in source feed |
| Severity | — |
| Weakness (CWE) | CWE-306 |
| Added to CISA KEV | 2026-04-30 |
| CISA remediation due | 2026-05-03 |
| Known ransomware use | Known |
Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.
What is the risk?
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
This vulnerability has known use in ransomware campaigns, which raises its practical urgency: exploitation has been observed as part of attacks that encrypt or exfiltrate data for extortion.
How to remediate CVE-2026-41940
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
U.S. federal civilian agencies were required to remediate this vulnerability by 2026-05-03 under CISA Binding Operational Directive 22-01. Private organizations should treat it with comparable urgency.
References
Frequently asked questions
What is CVE-2026-41940?
CVE-2026-41940 is a vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared): WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
How severe is CVE-2026-41940?
The CISA KEV catalog does not publish a CVSS base score for this entry. Check the NVD record for the official score. Its presence in the KEV catalog means it is confirmed to be exploited in the wild.
Is CVE-2026-41940 being exploited in the wild?
Yes. It appears in the CISA Known Exploited Vulnerabilities (KEV) catalog, which only lists vulnerabilities with reliable evidence of active exploitation. It was added on 2026-04-30. It has known use in ransomware campaigns.
How do I fix CVE-2026-41940?
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Related vulnerabilities
- CVE-2009-3459: Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
- CVE-2025-48595: Android Framework Integer Overflow Vulnerability
- CVE-2026-7473: Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
- CVE-2026-42271: BerriAI LiteLLM Command Injection Vulnerability
Last updated: 2026-06-13