AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

🔥 This vulnerability is being actively exploited in the wild (CISA Known Exploited Vulnerabilities catalog)

CVE-2026-41940: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

infovulnerability🔥 Actively Exploited

security

Source: CISA Known Exploited VulnerabilitiesApril 29, 2026CVE-2026-41940

Summary

WebPros cPanel & WHM (a web hosting control panel) and WP2 (WordPress Squared, a WordPress management tool) have an authentication bypass vulnerability that lets attackers access the control panel without logging in. This flaw is being actively exploited by hackers in real-world attacks.

Solution / Mitigation

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. See vendor security updates at https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 and https://docs.wpsquared.com/changelogs/versions/changelog/#13617

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 16.5%

Patch Available

Yes

Exploit Maturity

🔥 Actively Exploited

Disclosure Date

April 29, 2026

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-306

CAPEC (Attack Pattern)

CAPEC-115

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41940

First tracked: April 30, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%