A critical argument injection vulnerability in WordPress Toolkit allows unauthorized command execution, posing a severe risk to multi-tenant environments.

The vulnerability exists due to improper input sanitization within the wp-toolkit CLI command structure. It allows a remote authenticated user to manipulate arguments to execute commands across tenant boundaries.

With a CVSS score of 9.9, this vulnerability represents a critical risk to service providers and businesses using shared hosting environments. Successful exploitation allows for privilege escalation and cross-tenant data access, potentially leading to a complete compromise of managed WordPress instances and underlying system integrity.

Immediate Action: Update the WordPress Toolkit to version 6.11.0 or later immediately to remediate the argument injection flaw.

Proactive Monitoring: Review system logs for unusual CLI execution patterns or unauthorized attempts to access directories outside of the authenticated user's scope.

Compensating Controls: Implement strict command-line argument validation and monitor for anomalous process spawning originating from the WordPress Toolkit service.

Public Exploit Available: False

Given the critical nature of this flaw, administrators must prioritize patching the WordPress Toolkit. Failure to address this could result in unauthorized administrative control over hosted WordPress sites, significantly impacting security posture and customer trust.