CVE-2025-66431

HIGH

WebPros Plesk <18.0.73.5, <18.0.74.2 - Authenticated RCE

Title source: llm

Description

WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management."

References (3)

Core 3

Core References

Various Sources

https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074

Various Sources

https://docs.plesk.com/release-notes/obsidian/whats-new/

Various Sources

https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root

Scores

CVSS v3 7.8

EPSS 0.0021

EPSS Percentile 11.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-61

Status published

Products (2)

Plesk/Plesk < 18.0.73.5

Plesk/Plesk 18.0.74 - 18.0.74.2

Published Dec 03, 2025

Tracked Since Feb 18, 2026