Situation
Argument injection vulnerability in WP Toolkit before version 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
Impact
Any cPanel server (on any Operating System) that has WP Toolkit installed with wp-toolkit version lower than version 6.11.0.
Call to Action
Update wp-toolkit to the fixed version 6.11.0 via the following command run as the root user:
# su wp-toolkit --shell=/bin/bash -c '/usr/bin/sw-engine -d auto_prepend_file=/usr/local/cpanel/3rdparty/wp-toolkit/scripts/scheduled-task-prepend-file.php /usr/local/cpanel/3rdparty/wp-toolkit/plib/scripts/instances-auto-update.php'
Comments
0 comments
Article is closed for comments.