CVE-2026-41940: WebPros cPanel & WHM / WP2 Missing Authentication for Critical Function
CVE-2026-41940 is an actively exploited missing authentication vulnerability (CWE-306) in WebPros cPanel & WHM and WP2 (WordPress Squared). Unauthenticated remote attackers can invoke critical administrative functions without valid credentials, enabling account takeover, malicious plugin installation, privilege escalation, and full server compromise. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- WebPros
- Product
- cPanel & WHM and WP2 (WordPress Squared)
Weakness (CWE)
Timeline
- Disclosed
- April 30, 2026
CVSS
What is CVE-2026-41940 CVE-2026-41940: WebPros cPanel & WHM / WP2 Missing Authentication for Critical Function?
CVE-2026-41940: WebPros cPanel & WHM / WP2 Missing Authentication for Critical Function (CVE-2026-41940) maps to the Initial Access and Privilege Escalation and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-41940: WebPros cPanel & WHM / WP2 Missing Authentication for Critical Function, covering the data sources and telemetry it touches: IIS Web Logs, Azure Application Gateway, WAF Logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union isfuzzy=true
(
W3CIISLog
| where csUriStem has_any ("/cpsess", "/json-api", "/execute", "/wp-json", "/xmlapi")
and (csMethod == "POST" or csMethod == "GET")
and (csUriStem has_any ("createacct", "removeacct", "passwd", "addpkg", "suspendacct", "unsuspendacct", "installplugin", "createuser"))
and (sc_status between (200 .. 299) or sc_status == 301)
and isempty(csUsername) or csUsername == "-"
| extend TargetHost = csHost, AttackerIP = cIP, RequestPath = csUriStem, ResponseCode = sc_status
| project TimeGenerated, AttackerIP, TargetHost, RequestPath, ResponseCode, csMethod, csUserAgent
),
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
and requestUri_s has_any ("/json-api", "/execute", "/xmlapi", "/wp-json")
and requestUri_s has_any ("createacct", "passwd", "installplugin", "addpkg")
and httpStatus_d between (200 .. 299)
| extend AttackerIP = clientIP_s, RequestPath = requestUri_s, ResponseCode = httpStatus_d
| project TimeGenerated, AttackerIP, RequestPath, ResponseCode
)
| summarize RequestCount = count(), DistinctPaths = dcount(RequestPath), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by AttackerIP
| where RequestCount >= 1
| extend RiskScore = iif(RequestCount >= 5, "High", "Medium")
| sort by RequestCount descDetects unauthenticated HTTP requests targeting cPanel & WHM and WP2 critical administrative API endpoints (createacct, passwd, installplugin, etc.) without valid session credentials, indicative of CVE-2026-41940 exploitation.
Data Sources
Required Tables
False Positives
- Automated monitoring or uptime checks hitting cPanel health endpoints without authentication headers
- Legitimate cPanel API integrations using token-based auth that do not populate csUsername field in IIS logs
- Internal provisioning automation scripts that appear unauthenticated in web tier but authenticate at the application layer
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-41940: WebPros cPanel & WHM / WP2 Missing Authentication for Critical Function (CVE-2026-41940) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-41940
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-41940 Unauthenticated cPanel Account Creation via JSON API
Expected signal: HTTP POST request to /json-api/createacct on port 2086 with HTTP 200 response and no Authorization header in web server access logs; corresponding cPanel audit log entry for account creation
- Test 2CVE-2026-41940 Unauthenticated Password Change via WHM XMLAPI
Expected signal: HTTP GET request to /xmlapi/passwd on port 2086 with HTTP 200 response visible in cPanel access logs; no session cookie or API token in request headers; cPanel audit log records password change event
- Test 3CVE-2026-41940 Unauthenticated WP2 Plugin Installation via WordPress REST API
Expected signal: HTTP GET and POST requests to /wp-json/wp/v2/plugins with HTTP 200/201 responses in web server access logs; WordPress debug log records plugin installation event; file system activity shows new directory creation under wp-content/plugins/
Unlock Pro Content
Get the full detection package for CVE-2026-41940 including response playbook, investigation guide, and atomic red team tests.