LiteSpeed User-End cPanel plugin lsws.redisAble privilege escalation to root (CVSS 10.0, actively exploited)

CVE-2026-48172 is an incorrect-privilege-assignment flaw (CWE-266) scored CVSS 4.0 = 10.0 in the LiteSpeed User-End cPanel plugin, versions 2.3 through 2.4.4. The defect sits in the lsws.redisAble function of the plugin's JSON-API endpoint — the handler that toggles Redis support — which is exposed by default to every logged-in cPanel user. A single API call with crafted parameter values executes arbitrary scripts as root; there is no race to win and no administrator (WHM) access required, so any low-privilege tenant or compromised hosting account escalates to full server root (GitHub Advisory GHSA-fxrh-cwjh-m33v, 2026-05-21). LiteSpeed confirms the vulnerability "is being actively exploited" across all 2.3–2.4.4 versions; cPanel auto-removed the vulnerable plugin during its 2026-05-19 nightly update, and the vendor shipped fixes in plugin v2.4.6 (initial) and v2.4.7 / WHM plugin v5.3.1.0 (full review) (LiteSpeed, 2026-05-21). The LiteSpeed WHM plugin is not affected.

On multi-tenant shared hosting — the dominant model for EU/CH SME and small public-sector web presences — root on the box exposes every co-tenant's TLS private keys, web-app source, database credentials and mail spool. Hunt cPanel access logs for the string cpanel_jsonapi_func=redisAble; any occurrence from a non-administrative account is the vendor-described exploitation artefact. Map to ATT&CK T1068 (Exploitation for Privilege Escalation). Hardening: upgrade to plugin v2.4.7 / WHM v5.3.1.0 immediately, or disable the LiteSpeed cPanel plugin until patched.