June 15, 2026 CISA KEV update: CISA added CVE-2026-54420 for the LiteSpeed cPanel Plugin to the Known Exploited Vulnerabilities catalog. The federal due date is June 18, 2026, which is a short clock for hosting providers and shared cPanel servers.
What changed: the June 1 LiteSpeed update is now tied to an assigned CVE and a CISA KEV entry. The practical fix remains the same: confirm the cPanel user-end plugin is 2.4.8 or newer, and use LiteSpeed WHM Plugin 5.3.2.1 or newer as the safer current target.
Shared-hosting impact: the CVE record and LiteSpeed advisory describe a privilege-escalation risk on shared hosting servers running CloudLinux/CageFS when an attacker already has FTP access or a compromised-site foothold. Treat this as a server-isolation issue, not just a control-panel plugin cleanup task.
Safe verification: confirm the WHM plugin version, confirm the bundled cPanel user-end plugin version, confirm whether the user-end plugin is still exposed to cPanel users, and use LiteSpeed’s advisory or LiteSpeed support for exact incident indicators. This article intentionally does not reproduce low-level log patterns, request details, or investigation recipes.
June 1, 2026 second LiteSpeed cPanel plugin update: LiteSpeed has published another urgent security update for the user-end cPanel plugin. LiteSpeed says this newer issue affects user-end plugin versions before 2.4.8, is being actively exploited, and is separate from the earlier CVE-2026-48172 patch target. The new target is LiteSpeed WHM Plugin v5.3.2.1 bundled with cPanel User-End Plugin v2.4.8, or newer.
Action change: if you stopped at WHM Plugin 5.3.1.0 / cPanel User-End Plugin 2.4.7, schedule the next maintenance window now. Update to 5.3.2.1 / 2.4.8 or newer, or remove the user-end cPanel plugin until the fixed build is confirmed. Do not re-enable an older user-end plugin just because the May CVE-2026-48172 advisory was handled.
Hosting impact: LiteSpeed describes the June 1 issue as a privilege-escalation risk on shared hosting servers running CloudLinux/CageFS where an attacker already has FTP access or an existing compromised-site foothold. That still matters: on shared hosting, one account foothold can become a server-level incident if the control-panel plugin crosses a privilege boundary.
Safe verification: confirm the WHM-side LiteSpeed plugin version, confirm the bundled cPanel user-end plugin version, confirm whether the user-end plugin is exposed to cPanel users, and review LiteSpeed/cPanel/system logs using LiteSpeed’s advisory as the source for exact indicators. This article intentionally does not reproduce LiteSpeed’s log-search patterns or low-level request indicators.
May 26, 2026 CISA KEV update: this issue is now tracked as CVE-2026-48172. CISA added the LiteSpeed cPanel Plugin privilege-escalation vulnerability to the Known Exploited Vulnerabilities catalog on May 26, 2026, with a May 29, 2026 remediation due date for covered agencies. That is a short window, and hosting providers should treat it like a control-panel emergency, not a routine plugin notice.
Fixed-version target: LiteSpeed’s release log lists WHM Plugin v5.3.2.1 bundled with cPanel User-End Plugin v2.4.8 or newer, released May 21, 2026. If you removed or disabled the user-end cPanel plugin during the May 20 mitigation window, keep it disabled until you deliberately install the fixed build and verify it. If the user-end plugin is still available to cPanel users, update now or remove it until the fixed version is in place.
May 20, 2026 original notice: cPanel & WHM administrators should treat the May 19/20 security update as urgent, especially if LiteSpeed Web Server integrations are installed. cPanel has published SEC-73728 and SEC-73755 support entries, and public hosting-provider/admin reports quote cPanel and LiteSpeed communications saying the LiteSpeed User-End cPanel Plugin is affected by an actively exploited privilege-escalation issue.
This is separate from the earlier May 2026 cPanel & WHM / WP2 security update guide and the earlier Copy Fail kernel patch issue. If your hosting stack runs cPanel, WHM, WP Toolkit/WP2, LiteSpeed, CloudLinux, or legacy cPanel branches, this is another patch-and-verify item for the same very rough month.
We are intentionally not publishing attack mechanics, request details, target paths, scanner material, or live exploitation notes. The defensive move is enough: update to the fixed LiteSpeed cPanel plugin build, confirm the cPanel/WHM security updates for your branch, remove or disable the LiteSpeed User-End cPanel Plugin if it remains exposed, keep auto-install off until you have verified the safe version, and audit recent administrative activity.
What Is Affected
- cPanel & WHM / WP2: cPanel published official SEC-73728 and SEC-73755 support articles for the May 19, 2026 security update.
- LiteSpeed User-End cPanel Plugin: CISA now lists CVE-2026-48172 for the LiteSpeed cPanel Plugin. LiteSpeed’s release log points administrators to WHM Plugin v5.3.2.1 bundled with cPanel User-End Plugin v2.4.8 or newer.
- Not the same as the LiteSpeed Cache WordPress plugin: this is about the cPanel-side LiteSpeed Web Cache Manager/user-end plugin. Do not remove random WordPress cache plugins because of a cPanel plugin advisory.
- Not necessarily the parent WHM LiteSpeed plugin alone: the fixed release ships the WHM plugin and cPanel user-end plugin together, so verify both the WHM-side package version and the user-end cPanel plugin version.
Why Hosting Providers Should Move Fast
A cPanel user-end plugin is a high-value target because it sits inside the shared-hosting control plane. Even when the vulnerable component is third-party, customers experience it as “the hosting panel.” If a plugin can cross a privilege boundary, one compromised account can become a server-level incident.
The risk is bigger on shared hosting, reseller hosting, student/dev systems, legacy cPanel branches, CloudLinux/CageFS fleets, and any server where many independent site owners can reach cPanel features. Treat this like a control-panel incident, not a normal WordPress plugin cleanup.
Immediate Patch Checklist
- Check the current cPanel build: confirm the running branch and build number from WHM or SSH.
- Review the update tier: make sure the server is not pinned to a branch that blocks the security build. Legacy CloudLinux 6 / CentOS 6 systems need extra care and should follow cPanel’s current branch guidance.
- Run the cPanel update: use the normal WHM update flow or the standard cPanel update command during a monitored maintenance window.
- Verify the build after patching: do not assume the update landed just because the command completed. Confirm the version from WHM and from the command line.
- Check whether the LiteSpeed User-End cPanel Plugin remains installed: if it remains present below cPanel User-End Plugin v2.4.8, remove/disable it or update the bundled WHM plugin to v5.3.2.1.
- Do not confuse plugin layers: LiteSpeed Web Server, the WHM LiteSpeed plugin, the user-end cPanel plugin, and the WordPress LSCache plugin are different pieces. Patch the hosting-control-panel component named in the advisory.
Safe Admin Commands
These are normal maintenance checks, not vulnerability validation steps:
/usr/local/cpanel/cpanel -V grep '^CPANEL=' /etc/cpupdate.conf /scripts/upcp --force
For the LiteSpeed user-end plugin, LiteSpeed documents the cPanel plugin management command under the WHM LiteSpeed plugin tooling. If your server has LiteSpeed installed and the user-end plugin still exists after the cPanel update, remove it and disable auto-install while you wait for a safe replacement build:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall /usr/local/lsws/admin/misc/lscmctl cpanelplugin -autoinstall 0
If your environment uses a different LiteSpeed path, use the LiteSpeed WHM interface instead of guessing at paths. On managed hosting, ask the provider to confirm whether the user-end cPanel plugin was removed or disabled fleet-wide.
Post-Patch Verification
- Confirm the cPanel build is at or above the patched version for the branch.
- Confirm the LiteSpeed User-End cPanel Plugin is no longer available to cPanel users unless WHM Plugin v5.3.2.1 bundled with cPanel User-End Plugin v2.4.8 or newer or newer is deliberately installed.
- Confirm auto-install for the user-end plugin is off until you have verified the fixed build across the server or fleet.
- Review recent cPanel, WHM, LiteSpeed, sudo, shell, and account-management logs for unusual administrator actions.
- Check reseller and high-risk customer accounts first, especially if they had cPanel access during the exposure window.
- Tell customers plainly if a panel feature was removed temporarily. Silence creates tickets; clear maintenance notes reduce panic.
What To Tell Customers
Use plain language: “We applied the May 2026 cPanel & WHM security update and either updated, removed, or disabled the LiteSpeed user-end cPanel integration while we verify the fixed vendor build. This does not mean your WordPress LiteSpeed Cache plugin was removed. Website caching and server LiteSpeed service may continue normally, but the cPanel-side management shortcut may be unavailable until the fixed component is confirmed.”
Source Links
- CISA Known Exploited Vulnerabilities catalog: CVE-2026-48172 added May 26, 2026
- LiteSpeed: June 1 second security update for LiteSpeed cPanel Plugin
- CVE.org record for CVE-2026-54420
- CISA Known Exploited Vulnerabilities catalog
- LiteSpeed: May 21 security update for LiteSpeed cPanel Plugin
- LiteSpeed cPanel/WHM plugin release log: WHM Plugin v5.3.2.1 bundled with cPanel User-End Plugin v2.4.8 or newer
- NVD: CVE-2026-48172
- cPanel support: SEC-73728 May 19, 2026 security update
- cPanel support: SEC-73755 May 19, 2026 security update
- LiteSpeed documentation: cPanel user-end plugin
- LiteSpeed documentation: cPanel plugin management command
- myglobalHOST: May 2026 cPanel security patch timeline and LiteSpeed user-end plugin note
- Maxinames: cPanel May 20 TSR pre-announcement
Bottom Line
Patch cPanel now, verify the branch, update LiteSpeed’s WHM Plugin to v5.3.1.0 with cPanel User-End Plugin v2.4.7 or newer, and remove or disable the LiteSpeed User-End cPanel Plugin anywhere the fixed build is not confirmed. May 2026 has already shown that hosting control-panel bugs move quickly from “scheduled patch” to “active incident.” Treat this one with that same urgency.


