Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
XML API is network-reachable (AV:N/AC:L) but needs a valid low-privileged account (PR:L); root file write escapes the app boundary (S:C) giving full C:H/I:H/A:H.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server.
AnalysisAI
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Plesk account (CVSS PR:L) with the ability to reach the Plesk XML API - for example a reseller or customer login on a multi-tenant hosting server - and the ability to send crafted API requests injecting configuration directives. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue, not an inflated CVSS number. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant on a shared Plesk server (or an attacker who has phished or purchased a low-privileged reseller/customer login) authenticates to the panel and issues crafted XML API requests that smuggle unauthorized configuration directives into a root-owned service config. The injected directives are written to disk as root, letting the attacker plant or overwrite a privileged file (e.g. … |
| Remediation | Apply the fix described in the Plesk vendor advisory (https://support.plesk.com/hc/en-us/articles/41171817973143-Vulnerability-in-Plesk-XML-API) - patch available per vendor advisory, though an exact fixed version number is not confirmed in the available data, so verify the target build against that article before and after updating and enable Plesk automatic updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Plesk instances; restrict panel access to administrative networks only via IP whitelisting; disable the XML API if not operationally required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to e
Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. Rated critical severity (CVSS 9.0), this vu
Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. Rated high severity (CVSS 7.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41892
GHSA-29pr-6qrg-q2x4