A vulnerability has been discovered in cPanel's WebHost Manager reseller control panel, which could be exploited to allow malicious users to run some commands as root (superuser).
The exploit affects a feature in WebHost Manager through which resellers can let their users retrieve lost or forgotten passwords via email. The setting, found in WebHost Manager in the "Tweak Settings" section, "is built into all compiled cPanel binaries and as such can not be patched," according to an advisory on the BugTraq mailing list, which includes instructions on addressing the vulnerability.
Source: Netcraft