Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Authenticated low-priv customer (PR:L) over the network with low complexity crosses the tenant trust boundary (S:C), leaking credentials (C:H) that enable code execution as another user (I:H/A:H).
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.
AnalysisAI
Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privileged Plesk customer account on the target server (PR:L) and the ability to reach the XML-RPC API over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a genuine high priority rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged customer on a shared Plesk server authenticates to the XML-RPC API and issues a domain-lookup request using a legacy protocol version and a filter that skips the ownership check, returning domain records owned by other tenants along with their cleartext FTP credentials. The attacker logs in over FTP as a victim tenant's system user and drops or modifies files, achieving code execution in the victim's context. … |
| Remediation | Vendor-released patch: update to Plesk 18.0.78.4 or later, which restores ownership enforcement across all XML-RPC lookup filters and closes the legacy-protocol schema-validation bypass; refer to https://support.plesk.com/hc/en-us/articles/41178305151255-Vulnerability-in-Plesk-XML-API-Cleartext-FTP-Password-Exposure for the authoritative guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Plesk deployments and determine which operate in multi-tenant mode; review XML-RPC API access logs for domain enumeration activity from low-privilege accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper
Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. Rated critical severity (CVSS 9.0), this vu
Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. Rated high severity (CVSS 7.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42144
GHSA-m4rp-7vj2-ggpc