May 20, 2026 update: cPanel & WHM administrators should treat the May 19/20 security update as urgent, especially if LiteSpeed Web Server integrations are installed. cPanel has published SEC-73728 and SEC-73755 support entries, and public hosting-provider/admin reports quote cPanel and LiteSpeed communications saying the LiteSpeed User-End cPanel Plugin is affected by an actively exploited privilege-escalation issue.
This is separate from the earlier May 2026 cPanel & WHM / WP2 security update guide and the earlier Copy Fail kernel patch issue. If your hosting stack runs cPanel, WHM, WP Toolkit/WP2, LiteSpeed, CloudLinux, or legacy cPanel branches, this is another patch-and-verify item for the same very rough month.
Public technical details are still limited. We are intentionally not publishing attack mechanics, request details, target paths, scanner material, or live exploitation notes. The defensive move is enough: update cPanel, confirm the patched build for your branch, remove or disable the LiteSpeed User-End cPanel Plugin if it remains present, turn off auto-install until a safe version is confirmed, and audit recent administrative activity.
What Is Affected
- cPanel & WHM / WP2: cPanel published official SEC-73728 and SEC-73755 support articles for the May 19, 2026 security update.
- LiteSpeed User-End cPanel Plugin: public provider and forum posts quote an urgent LiteSpeed advisory saying the user-end plugin is affected and should be removed/disabled while a fixed version is prepared.
- Not the same as the LiteSpeed Cache WordPress plugin: this is about the cPanel-side LiteSpeed Web Cache Manager/user-end plugin. Do not remove random WordPress cache plugins because of a cPanel plugin advisory.
- Not necessarily the parent WHM LiteSpeed plugin: public LiteSpeed-facing guidance says the user-end cPanel plugin is the affected component and the parent WHM plugin is not the same thing.
Why Hosting Providers Should Move Fast
A cPanel user-end plugin is a high-value target because it sits inside the shared-hosting control plane. Even when the vulnerable component is third-party, customers experience it as “the hosting panel.” If a plugin can cross a privilege boundary, one compromised account can become a server-level incident.
The risk is bigger on shared hosting, reseller hosting, student/dev systems, legacy cPanel branches, CloudLinux/CageFS fleets, and any server where many independent site owners can reach cPanel features. Treat this like a control-panel incident, not a normal WordPress plugin cleanup.
Immediate Patch Checklist
- Check the current cPanel build: confirm the running branch and build number from WHM or SSH.
- Review the update tier: make sure the server is not pinned to a branch that blocks the security build. Legacy CloudLinux 6 / CentOS 6 systems need extra care and should follow cPanel’s current branch guidance.
- Run the cPanel update: use the normal WHM update flow or the standard cPanel update command during a monitored maintenance window.
- Verify the build after patching: do not assume the update landed just because the command completed. Confirm the version from WHM and from the command line.
- Check whether the LiteSpeed User-End cPanel Plugin remains installed: if it remains present, remove/disable the user-end plugin and disable auto-install until LiteSpeed confirms a patched version.
- Do not confuse plugin layers: LiteSpeed Web Server, the WHM LiteSpeed plugin, the user-end cPanel plugin, and the WordPress LSCache plugin are different pieces.
Safe Admin Commands
These are normal maintenance checks, not vulnerability validation steps:
/usr/local/cpanel/cpanel -V grep '^CPANEL=' /etc/cpupdate.conf /scripts/upcp --force
For the LiteSpeed user-end plugin, LiteSpeed documents the cPanel plugin management command under the WHM LiteSpeed plugin tooling. If your server has LiteSpeed installed and the user-end plugin still exists after the cPanel update, remove it and disable auto-install while you wait for a safe replacement build:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall /usr/local/lsws/admin/misc/lscmctl cpanelplugin -autoinstall 0
If your environment uses a different LiteSpeed path, use the LiteSpeed WHM interface instead of guessing at paths. On managed hosting, ask the provider to confirm whether the user-end cPanel plugin was removed or disabled fleet-wide.
Post-Patch Verification
- Confirm the cPanel build is at or above the patched version for the branch.
- Confirm the LiteSpeed User-End cPanel Plugin is no longer available to cPanel users unless LiteSpeed has published a fixed version and you deliberately reinstalled it.
- Confirm auto-install for the user-end plugin is off until you are ready to re-enable it.
- Review recent cPanel, WHM, LiteSpeed, sudo, shell, and account-management logs for unusual administrator actions.
- Check reseller and high-risk customer accounts first, especially if they had cPanel access during the exposure window.
- Tell customers plainly if a panel feature was removed temporarily. Silence creates tickets; clear maintenance notes reduce panic.
What To Tell Customers
Use plain language: “We applied the May 2026 cPanel & WHM security update and temporarily removed or disabled the LiteSpeed user-end cPanel integration while the vendor finalizes safe plugin guidance. This does not mean your WordPress LiteSpeed Cache plugin was removed. Website caching and server LiteSpeed service may continue normally, but the cPanel-side management shortcut may be unavailable until the fixed component is confirmed.”
Source Links
- cPanel support: SEC-73728 May 19, 2026 security update
- cPanel support: SEC-73755 May 19, 2026 security update
- LiteSpeed documentation: cPanel user-end plugin
- LiteSpeed documentation: cPanel plugin management command
- myglobalHOST: May 2026 cPanel security patch timeline and LiteSpeed user-end plugin note
- Maxinames: cPanel May 20 TSR pre-announcement
Bottom Line
Patch cPanel now, verify the branch, remove or disable the LiteSpeed User-End cPanel Plugin if it remains available, and keep an eye on cPanel and LiteSpeed for the fixed plugin path. May 2026 has already shown that hosting control-panel bugs move quickly from “scheduled patch” to “active incident.” Treat this one with that same urgency.
