[CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

I'm not sure if the File Manager issue is resolved with the update because my server was recently hacked. Or it was hacked a while ago, but the hacker only acted now, because it only affected traffic to the sites I have on the VPS two weeks ago, and it only affected the .htaccess file since October 17th.
I've been closely monitoring the VPS since the 18th, and apparently nothing strange has happened again. However, I warn you that WordPress websites, in particular, have contaminated files. That is, in addition to new files, they also modify WordPress system files, and the only solution is deleting and restoring a backup.
Also, on WordPress websites, users appeared in the database that were not visible in the WordPress user manager. You need to remove them via PHPMyAdmin.
The hacker modified the robots.txt and .htaccess files to direct traffic to an online store.
I recommend everyone try a Google search for "site:yourdomain.tld" to check for abnormal results or redirects.

I recommend restoring backups of everything in the public_html folder because if any file is infected, the malicious files will reappear.

I'm not sure if the File Manager issue is resolved with the update

https://fenrisk.com/rce-centos-webpanel

Conclusion
This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server.

The vulnerability has been patched on latest version 0.9.8.1205 during June 2025.

Timeline
13/05/2025: First contact with CWP.
23/05/2025: CVE-2025-48703 assigned.
18/06/2025: Patch available on version 0.9.8.1205.