CVE-2025-66431 | THREATINT

Description

WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management."

PUBLISHED Reserved 2025-11-30 | Published 2025-12-03 | Updated 2025-12-03 | Assigner mitre

HIGH: 7.8CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-61 UNIX Symbolic Link (Symlink) Following

Product status

Default status

unaffected

Any version before 18.0.73.5

affected

18.0.74 (custom) before 18.0.74.2

affected

References

docs.plesk.com/release-notes/obsidian/whats-new/

docs.plesk.com/release-notes/obsidian/change-log/

support.plesk.com/...xecute-arbitrary-code-on-behalf-of-root

cve.org (CVE-2025-66431)

nvd.nist.gov (CVE-2025-66431)