Cross-Site Scripting (XSS) vulnerability in Plesk

Vulnerability

Plesk versions 17.0 through 18.0.31 are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability, identified as CWE-79 [1]. A malicious subscription owner, such as a customer or an additional user, can inject malicious script into a certain page within Plesk related to the subscription. The vulnerability resides in the improper neutralization of user input during page generation, enabling the stored XSS attack to persist until an administrator visits the affected page [1].

Exploitation

An attacker must have a subscription owner role (e.g., a customer or additional user) and craft malicious payloads that become stored on the Plesk server. No direct user interaction from the victim is required beyond the administrator subsequently navigating to the specific page associated with that subscription [1]. The CVSS v3.1 base score is 8.8, with a vector string of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating low attack complexity, low privileges required, and no user interaction [1].

Impact

Successful exploitation allows the attacker to fully compromise the Plesk server, achieving high impact on confidentiality, integrity, and availability [1]. The attacker can execute arbitrary script in the context of the administrator’s session, potentially leading to complete control over the Plesk instance and hosted services.

Mitigation

Plesk has released a security patch for all affected versions (17.0 through 18.0.31). Administrators should update to the latest supported Plesk version or apply the specific patch provided by Plesk [1]. No workaround is mentioned; upgrading or patching is the recommended course of action [1].