CVE-2025-66431
7.8
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management."
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Plesk | Plesk | 0 < 18.0.73.5 | affected |
| Plesk | Plesk | 18.0.74 < 18.0.74.2 | affected |
Weaknesses
- CWE-61: CWE-61 UNIX Symbolic Link (Symlink) Following
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://docs.plesk.com/release-notes/obsidian/whats-new/
- https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074
- https://support.plesk.com/hc/en-us/articles/36494997377687–CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.