CVE-2026-56843 PUBLISHED

Assigner: hackerone
Reserved: 23.06.2026 Published: 08.07.2026 Updated: 08.07.2026

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Product Status

Vendor Webpros
Product Plesk
Versions Default: unaffected
  • affected from 10.4 to 18.0.78.4 (excl.)

References

Problem Types

  • CWE-522 Insufficiently Protected Credentials CWE