PT-2026-56285 · Webpros · Plesk
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-56843
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WebPros Plesk versions prior to 18.0.78.4
Description
Incorrect authorization in the XML-RPC API allows a low-privileged authenticated customer to look up domains they do not own. This occurs because ownership is enforced only for specific lookup filters and schema validation is bypassed for legacy protocol versions. This flaw leads to cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be used to execute code as another tenant's system user.
Recommendations
Update WebPros Plesk to version 18.0.78.4 or later.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plesk