44,000 Hacked Control Panels and a WordPress Auth Bypass: What This Week's Threats Mean for Your Business
44,000 hosting control panels. Confirmed compromised. Active exploitation confirmed by US and Australian government authorities. That is not a projection or a vendor estimate. That is a count from The Shadowserver Foundation of systems already in attacker hands.
This week produced two threats that are directly relevant to any UK small business running a website. Neither requires a sophisticated attacker. Both exploits are publicly available. The window between disclosure and mass exploitation is measured in hours.
Story One: The cPanel Authentication Bypass
cPanel and WebHost Manager (WHM) are the control panels that sit behind an enormous proportion of the world’s hosted websites. If your business website is hosted by a typical UK web hosting company, there is a reasonable probability your hosting environment runs on cPanel. It is the interface your hosting provider uses to manage your account, and the one you may use to set up email addresses, manage files, or install software.
CVE-2026-41940 is an authentication bypass vulnerability. Authentication bypass means exactly what it sounds like: an attacker does not need your password. The vulnerability works by manipulating session files, which tricks the system into treating the attacker as the legitimate account owner. Once in, they have full administrative access to the control panel. From there, they can modify your website, access your email, exfiltrate your customer data, or install malware that infects anyone who visits your site.
The Dutch NCSC and its counterparts in the US and Australia have all issued advisories confirming active exploitation. The Shadowserver Foundation, which monitors internet-exposed infrastructure globally, reported 44,000 installations as already compromised.
What this means in plain language: if your hosting provider has not patched this, your website and everything associated with it is at serious risk. You cannot patch this yourself. You are dependent on your hosting provider acting.
The patch exists. cPanel released it. The question is whether your provider has applied it.
Story Two: The WordPress Plugin Handing Out Admin Access
CVE-2026-7567 affects a WordPress plugin called Temporary Login Without Password, versions up to and including 1.0.0. WordPress plugins are the small add-on applications that extend what a WordPress site can do. This particular plugin is designed to create temporary login links for contractors or support staff, without requiring a password.
The flaw is in how the plugin validates input. When the login token parameter is submitted as an array rather than a string, PHP’s empty() check is bypassed. The sanitisation function returns an empty string. WordPress then ignores the empty value and returns every user account matching a specific internal marker. The result: an unauthenticated attacker can gain access to all user accounts on the site.
The exploit requires no credentials and no prior access. It is the digital equivalent of a lock that opens if you knock in a specific way that the locksmith forgot to test.
If you run a WordPress site and this plugin is installed, you have an actively exploitable authentication bypass on your hands right now. The fix is to update or remove the plugin immediately, then audit your WordPress admin user list for accounts you do not recognise.
Why this matters beyond the obvious: compromised WordPress sites are frequently used to host phishing pages, distribute malware to site visitors, or serve as infrastructure for attacks on other targets. A compromised business website does not just hurt you. It becomes a weapon used against your customers.
The Pattern Behind Both Stories
These two vulnerabilities share a structural characteristic that is worth naming clearly: both bypass authentication entirely. They do not require attackers to crack passwords, guess credentials, or conduct any prior reconnaissance. The question of password strength, MFA configuration, or account lockout policy is irrelevant if the authentication mechanism itself can be skipped.
This is a recurring pattern in critical vulnerabilities. The NCSC’s own guidance consistently emphasises that keeping software patched and up to date is the single most impactful control available to small businesses. These two cases illustrate why. A well-configured firewall and a strong password policy provide zero protection against a flaw that bypasses the login screen entirely.
The Temporary Login plugin vulnerability (CVE-2026-7567) carries a CVSS score of 9.8 out of 10. The cPanel vulnerability (CVE-2026-41940) is confirmed actively exploited with US government advisory backing. Neither is a theoretical risk.
Why This Gives You an Edge
Most of your competitors are not asking their hosting provider about CVE-2026-41940 today. Most are not auditing their WordPress plugin list this week. Most will not know there was a problem until something visibly breaks, or until a customer reports that visiting their website triggered a malware warning.
The businesses that treat vulnerability intelligence as operational information, rather than something for IT professionals to worry about, are the businesses that avoid incidents rather than respond to them.
If you supply services to larger organisations, demonstrating active security awareness is increasingly a procurement requirement. Being able to say that you identified and responded to CVE-2026-41940 within 48 hours of advisory publication is a concrete, verifiable signal that your security posture is managed, not neglected.
If you hold or are pursuing Cyber Essentials certification, patch management is a core control. Acting on this week’s advisories directly supports that certification and reduces your exposure to the kind of incidents that generate ICO notification obligations.
Making the Business Case
Three points for anyone who needs to justify action to a board or a budget holder:
The exposure is confirmed, not projected. 44,000 compromised installations is a measured figure from an independent monitoring organisation. This is not vendor marketing creating artificial urgency. It is a count of systems already in attacker hands.
The cost of inaction exceeds the cost of action. Calling your hosting provider to ask whether CVE-2026-41940 has been patched takes ten minutes. Responding to a website compromise, notifying affected customers, and managing an ICO investigation takes months and costs money you do not have budgeted.
The regulatory exposure is real. A compromised website that leaks customer data is a reportable incident under UK GDPR. The ICO’s track record on enforcement is not irrelevant to small businesses. The 72-hour notification clock starts from the point you become aware of a breach, not from the point you choose to report it.
What to Do Before the End of the Week
-
Contact your hosting provider today. Ask them directly: have you patched CVE-2026-41940 in your cPanel and WHM environment? If they do not know what you are referring to, escalate. If they cannot confirm patching, consider whether your current provider is fit for purpose. A hosting company that cannot respond to an actively exploited critical vulnerability within 48 hours of advisory publication has a problem.
-
Check your WordPress plugin list. Log into your WordPress admin dashboard. Go to Plugins. Look for anything called Temporary Login Without Password. If it is there, deactivate and delete it immediately, then install the updated version from the official WordPress plugin repository. Check the installed version number before reinstalling.
-
Audit your WordPress admin users. Go to Users in your WordPress dashboard and filter by Administrator role. Remove any accounts you do not recognise. If you find accounts that should not be there, assume the site is compromised and contact a specialist.
-
Enable two-factor authentication on your hosting control panel. Most reputable hosting providers support MFA on the cPanel login. This does not protect against CVE-2026-41940 specifically (which bypasses authentication), but it is a baseline control that protects against credential theft more broadly. If your provider does not offer MFA on the control panel login, note that as a risk.
-
Review your website backup status. If your website is compromised and you need to restore it, you need a recent, clean backup stored somewhere other than the compromised hosting environment. Ask your provider when the last backup was taken and where it is stored. If the answer is unclear, that is a separate problem to address this week.