SituationA critical vulnerability (with the internal ID PFSI-62465) was identified and fixed in Plesk a long time ago. Complete information about exploiting this vulnerability are going to be disclosed publicly.
Vulnerable Plesk versions: from 17.0 to 18.0.31. These are unsupported versions in Plesk, for which hotfixes are no longer released.
ImpactAll supported versions of Plesk are immune. If you use one of them, there is no any impact for you.
Otherwise, in case your Plesk instance is vulnerable (you are running Plesk 17.0 to 18.0.31), a malicious subscription owner (customer or additional user) can fully compromise the server if an admin visits a certain page in Plesk related to the malicious subscription.
Call to actionKeep your Plesk instances up-to-date.
QuoteWarning: Please do not apply patch if you are not running the latest Plesk Onyx microupdates (Version 17.0.17 Update #86, Version 17.5.3 Update #98, Version 17.8.11 Update #95) - such situation may occur on OSes that have reached their EOL (e.g. Ubuntu 14.04, Debian 8, CentOS 6) before microupdates were applied.