The vulnerability, tracked as CVE-2026-48172, has been rated at the maximum severity level by security trackers and affects LiteSpeed cPanel user-end plugin versions from 2.3 through 2.4.4. LiteSpeed patched the initial flaw in version 2.4.5 and later urged administrators to move to cPanel plugin version 2.4.7, bundled with WHM plugin version 5.3.1.0, after a wider security review found additional attack paths that had not been reported as exploited.
The issue centres on the plugin’s lsws. redisAble function, part of Redis-related controls exposed through the user-end cPanel interface. The weakness allowed a valid cPanel user, including a compromised shared-hosting account, to execute arbitrary scripts with root privileges. That made the bug especially dangerous for shared hosting environments, where a single server can hold many accounts operated by unrelated customers.
LiteSpeed said the company was alerted to the original issue on 19 May 2026. cPanel pushed an uninstall command for the user-end plugin the same day, while LiteSpeed released cPanel plugin version 2.4.6 and WHM plugin version 5.3.0.0. The company applied for a CVE on 20 May and completed a broader security review on 21 May, releasing cPanel plugin 2.4.7 and WHM plugin 5.3.1.0.
The flaw is a zero-day because exploitation was observed before a complete fix was available. Its impact is amplified by the architecture of shared hosting, where control panels often manage web files, databases, mail, cron jobs, application installations and customer-level access. A jump from an ordinary cPanel account to root can expose all hosted accounts on the same machine, alter system files, add backdoors, tamper with logs, deploy malware or pivot deeper into a provider’s infrastructure.
The parent LiteSpeed WHM plugin was not affected by the original vulnerability, but the patched release package includes hardened code across related components. The 21 May update restored Redis enable and disable features with additional safeguards after emergency steps had focused on removing or disabling the vulnerable user-end component.
Administrators have been advised to check cPanel logs for calls involving cpaneljsonapifunc=redisAble, the indicator associated with attempted exploitation. Servers returning matching log entries require closer inspection of source IP addresses and system activity to determine whether the activity came from legitimate users or hostile accounts. Where suspicious IPs appear, access restrictions, log review, credential resets and broader compromise assessment are needed rather than treating the update alone as sufficient.
The incident shows how control-panel plugins can become high-value targets for attackers because they sit at the junction of user convenience and administrative privilege. Features that automate cache, Redis and WordPress management often require elevated system operations. When access controls around those operations fail, an attacker does not need a kernel exploit or direct administrator password to reach root.
For hosting companies, the immediate priority is to confirm plugin versions, remove outdated user-end installations, review logs and verify whether any server-level changes occurred during the exposure window. Customers on shared hosting should also be alert for unexplained website changes, altered files, unfamiliar administrator accounts, outbound spam, redirects, cryptocurrency miners or sudden changes in resource consumption.
The episode also adds pressure on hosting platforms to tighten isolation between tenants. Technologies such as CloudLinux, CageFS, hardened PHP handlers, restricted shell access and stronger account separation can limit some post-compromise movement, but they do not remove the risk when a plugin itself can trigger privileged actions. Root-level access can still override many customer-level defences.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
