CVE-2026-41940: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing

WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability. WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

• CISA KEV-listed (remediation due 2026-05-03)
• used in ransomware campaigns
• EPSS 91.2% (99.7% percentile)

Related briefings

• Hackers Hijack cPanel Servers Through Critical Login Bypass 2026-06-05

Browse the CVE database

Read the full analysis on IntelFusions