CVE-2025-66431

HIGH

WebPros Plesk <18.0.73.5, <18.0.74.2 - Authenticated RCE

Title source: llm

Description

WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management."

References (3)

[Various Sources] https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074

[Various Sources] https://docs.plesk.com/release-notes/obsidian/whats-new/

[Various Sources] https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root

Scores

CVSS v3 7.8

EPSS 0.0004

EPSS Percentile 12.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-61

Status published

Products (2)

Plesk/Plesk < 18.0.73.5

Plesk/Plesk 18.0.74 - 18.0.74.2

Published Dec 03, 2025

Tracked Since Feb 18, 2026