PT-2026-56285 · Webpros · Plesk

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-56843

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions WebPros Plesk versions prior to 18.0.78.4
Description Incorrect authorization in the XML-RPC API allows a low-privileged authenticated customer to look up domains they do not own. This occurs because ownership is enforced only for specific lookup filters and schema validation is bypassed for legacy protocol versions. This flaw leads to cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be used to execute code as another tenant's system user.
Recommendations Update WebPros Plesk to version 18.0.78.4 or later.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56843

Affected Products

Plesk