CVE-2026-48614
WebPros · Plesk
An improper authorization vulnerability in the Plesk XML API allows authenticated users to inject configuration directives, leading to arbitrary file writes and full root privilege escalation.
Executive summary
A critical authorization vulnerability in WebPros Plesk allows authenticated attackers to escalate privileges to root, posing a severe threat to server integrity.
Vulnerability
This vulnerability involves an improper authorization flaw within the XML API, which permits an authenticated user to perform unauthorized configuration injections. This results in the ability to write arbitrary files to the filesystem with root-level permissions.
Business impact
The potential for full privilege escalation to root provides an attacker with complete control over the affected server. Given the CVSS score of 9.9, this vulnerability represents an extreme risk, enabling data exfiltration, service disruption, and the deployment of persistent malicious backdoors.
Remediation
Immediate Action: Upgrade WebPros Plesk to version 18.0.78 or later immediately to resolve the API authorization flaw.
Proactive Monitoring: Review XML API access logs for anomalous configuration requests or suspicious calls originating from low-privileged accounts.
Compensating Controls: Restrict access to the Plesk XML API at the network level to trusted IP addresses only, limiting the attack surface available to unauthorized actors.
Exploitation status
Public Exploit Available: False
Analyst recommendation
The severity of this vulnerability cannot be overstated, as it grants full control over the underlying server infrastructure. System administrators must prioritize the update to version 18.0.78 to mitigate the risk of complete system compromise.