CVE-2026-56843

Webpros · Plesk

WebPros Plesk contains an authorization flaw in the XML-RPC API that allows authenticated customers to access cross-tenant data and plaintext FTP credentials.

Executive summary

A critical authorization vulnerability in the WebPros Plesk XML-RPC API allows low-privileged users to access other tenants' cleartext credentials and escalate privileges.

Vulnerability

The vulnerability is an insufficient protection of credentials (CWE-522) where the XML-RPC API fails to enforce proper ownership checks for specific lookup filters, leading to cross-tenant information disclosure.

Business impact

With a CVSS score of 9.9, this vulnerability represents a severe risk to multi-tenant environments. An attacker can harvest FTP credentials from other tenants, potentially leading to unauthorized cross-tenant file access and privilege escalation to the system user level, which could result in widespread data breaches across the hosting platform.

Remediation

Immediate Action: Apply the latest security update provided by WebPros to upgrade Plesk to version 18.0.78.4 or later.

Proactive Monitoring: Monitor API access logs for anomalous lookup patterns or unusual XML-RPC requests originating from low-privileged customer accounts.

Compensating Controls: If patching is delayed, restrict access to the XML-RPC API endpoints for untrusted users or implement strict IP-based access controls for API management.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The risk of cross-tenant credential exposure in a hosting environment is extreme. It is imperative that administrators of Plesk instances verify their version and apply the update immediately to prevent unauthorized access to customer data and potential system-wide compromise.