Primary

Context

WebPros Plesk Arbitrary Code Execution Vulnerability via Domain Creation

Vulnerability

A vulnerability allowing remote authenticated users to execute arbitrary code as root has been identified in WebPros Plesk versions prior to 18.0.73.5 and 18.0.74 prior to 18.0.74.2 on Linux. This issue arises in the domain creation process, where users with 'Create and manage sites' permission, along with 'Domains management' and 'Subdomains management' access, can exploit the vulnerability.

Impact

Exploitation of this vulnerability allows for local privilege escalation, enabling a malicious Plesk user to execute code on behalf of root, thereby compromising the Plesk server.

Remediation

Users can update Plesk to the latest version to address this vulnerability. Instructions for installing Plesk updates are available in the Plesk support documentation.

Added: Dec 3, 2025, 5:33 PM

Updated: Dec 3, 2025, 5:33 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WebPros Plesk Arbitrary Code Execution Vulnerability via Domain Creation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating