Exposures › CVE-2026-41940
WebPros cPanel & WHM and WP2 suffered a critical authentication bypass allowing unauthenticated remote attackers to access the control panel.
This vulnerability enables unauthenticated remote attackers to bypass login controls and access the WebHost Manager and WordPress Squared control panels, exposing sensitive administrative functions. For DIB organizations, this represents a high-risk supply-chain failure where a widely used hosting management tool can be compromised without credentials, potentially leading to data exfiltration or ransomware deployment. Immediate patching and vendor accountability are required to mitigate this active exploitation risk.
Shame score — Critical authentication bypass in a widely deployed hosting management tool that is actively exploited and linked to ransomware.
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
No correlated FedRAMP products.