Home

Description

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.

PUBLISHED Reserved 2026-06-23 | Published 2026-07-08 | Updated 2026-07-08 | Assigner hackerone




CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-522 Insufficiently Protected Credentials

Product status

Default status
unaffected

10.4 (semver) before 18.0.78.4
affected

References

support.plesk.com/...XML-API-Cleartext-FTP-Password-Exposure

cve.org (CVE-2026-56843)

nvd.nist.gov (CVE-2026-56843)

Download JSON