Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.
Metrics
Affected Vendors & Products
References
History
Tue, 14 Jul 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross-tenant Disclosure of Cleartext FTP Credentials via XML‑RPC API in Plesk |
Mon, 13 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross-tenant Disclosure of Cleartext FTP Credentials via XML‑RPC API in Plesk |
Sun, 12 Jul 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross‑Tenant FTP Credential Exposure via Weak XML‑RPC Authorization in Plesk |
Sat, 11 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross‑Tenant FTP Credential Exposure via Weak XML‑RPC Authorization in Plesk |
Fri, 10 Jul 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross-Tenant FTP Credential Disclosure via XML-RPC API Authorization Bypass |
Thu, 09 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross-Tenant FTP Credential Disclosure via XML-RPC API Authorization Bypass |
Wed, 08 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 02:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Webpros
Webpros plesk |
|
| Vendors & Products |
Webpros
Webpros plesk |
Wed, 08 Jul 2026 01:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user. | |
| Weaknesses | CWE-522 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: hackerone
Published: 2026-07-08T00:15:43.120Z
Updated: 2026-07-08T13:04:17.023Z
Reserved: 2026-06-23T15:00:03.632Z
Link: CVE-2026-56843
Updated: 2026-07-08T13:04:13.970Z
No data.
No data.