CRITICAL: CVE-2026-41940 affecting WebPros cPanel & WHM and WP2 platforms enables unauthenticated remote code execution through authentication bypass in login mechanisms, assessed as exploitation-ready with active adversary probing reported since 0400 UTC 19 JAN. Affected versions prior to patch release 126.0.48 (cPanel) and 5.2.1 (WP2) contain flawed session validation routines that permit direct access to administrative functions without credential submission. CISA KEV database confirms active exploitation in wild; immediate patching or network segmentation recommended for all hosting providers and WordPress deployments utilizing vulnerable versions.