CVE-2026-41940 — WebPros cPanel & WHM and WP2 (WordPress Squared)

known ransomware use

WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

Added to KEV

2026-04-30

Federal due date

2026-05-03

Vendor

WebPros

Product

cPanel & WHM and WP2 (WordPress Squared)

EPSS

99.6th percentile (score 0.903, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Known

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2026-41940

CISA short description

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.