Technical description
WebPros cPanel & WHM and WP2 (WordPress Squared) contain a critical authentication bypass vulnerability (CWE-306: Missing Authentication for Critical Function) that allows unauthenticated remote attackers to bypass the login screen and gain full administrative access to web hosting control panels without credentials.
Attack vector
Remote unauthenticated attackers exploit a logic flaw in the authentication flow to access the control panel with full privileges. CISA confirms active in-the-wild exploitation. The vulnerability affects all supported cPanel/WHM versions prior to the April 28, 2026 security update, with confirmed exploitation attempts dating back to February 23, 2026 observed by at least one hosting provider.
Affected systems
All cPanel & WHM installations and WP2 (WordPress Squared) systems running versions released before April 28, 2026. Tens of millions of websites rely on cPanel for web server management, making this one of the most widely-deployed web hosting platforms globally.
Mitigation
Apply the security updates released April 28, 2026 immediately. cPanel has published patched versions for all supported releases. Web hosting providers including Namecheap, HostGator, and KnownHost temporarily blocked customer panel access to deploy patches. Federal due date for remediation: May 3, 2026 per CISA BOD 22-01. Organizations using cPanel should verify patch status with their hosting provider and audit access logs for unauthorized administrative sessions since February 2026.