CVE-2026-56843
Webpros · Plesk
WebPros Plesk contains an authorization flaw in the XML-RPC API that allows authenticated customers to access cross-tenant data and plaintext FTP credentials.
Executive summary
A critical authorization vulnerability in the WebPros Plesk XML-RPC API allows low-privileged users to access other tenants' cleartext credentials and escalate privileges.
Vulnerability
The vulnerability is an insufficient protection of credentials (CWE-522) where the XML-RPC API fails to enforce proper ownership checks for specific lookup filters, leading to cross-tenant information disclosure.
Business impact
With a CVSS score of 9.9, this vulnerability represents a severe risk to multi-tenant environments. An attacker can harvest FTP credentials from other tenants, potentially leading to unauthorized cross-tenant file access and privilege escalation to the system user level, which could result in widespread data breaches across the hosting platform.
Remediation
Immediate Action: Apply the latest security update provided by WebPros to upgrade Plesk to version 18.0.78.4 or later.
Proactive Monitoring: Monitor API access logs for anomalous lookup patterns or unusual XML-RPC requests originating from low-privileged customer accounts.
Compensating Controls: If patching is delayed, restrict access to the XML-RPC API endpoints for untrusted users or implement strict IP-based access controls for API management.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk of cross-tenant credential exposure in a hosting environment is extreme. It is imperative that administrators of Plesk instances verify their version and apply the update immediately to prevent unauthorized access to customer data and potential system-wide compromise.