Critical Auth Bypass Vulnerability CVE-2026-41940 in cPanel/WHM and WP2 WordPress Squared Puts Hosting Infrastructure Under Immediate Pressure

A critical authentication bypass vulnerability, CVE-2026-41940, has been identified in WebPros cPanel & WHM (versions 11.40 through 136.x) and WP2 WordPress Squared (prior to 136.1.7), triggering urgent patching efforts across web hosting environments. The flaw, classified as CWE-306 (Missing Authentication for Critical Function), carries a CVSS 3.1 score of 9.8 and a CVSS 4.0 score of 9.3, placing it at the highest severity tier. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on April 30, 2026, with an action due date of May 3, 2026 — a remarkably compressed three-day window that signals active exploitation concerns.

The vulnerability allows unauthenticated remote actors to bypass authentication mechanisms for critical functions, potentially gaining full control over affected systems. watchTowr Labs published a proof-of-concept demonstrating an authentication bypass leading to remote code execution (AuthBypass-to-RCE) on April 30, 2026 — two days after WebPros released an emergency out-of-cycle patch on April 28. The MITRE ATT&CK framework maps the exploitation path to T1190 (Exploit Public-Facing Application), T1059.004 (Command and Scripting Interpreter: Unix Shell), and T1078 (Valid Accounts), indicating a realistic attack chain from initial access to persistent control.

Organizations running cPanel/WHM and WP2 WordPress Squared must prioritize immediate patching given the availability of a working PoC, the vulnerability's critical severity, and the tight CISA KEV remediation deadline. The widespread deployment of cPanel in shared hosting environments means that exploitation could propagate across multiple customer sites on a single infrastructure node, amplifying the potential blast radius. The compressed patching window — particularly against a backdrop of published exploits — leaves little margin for delayed response.