Skip to content
  • Solutions
    By Role
    • For Developers
    • For Content Managers
    • For Agencies
    • For IT Admins
    • For Web Hosters
    • For Developers
    • For Content Managers
    • For Agencies
    • For IT Admins
    • For Web Hosters
    By Infrastructure
    • Overview
    • AWS
    • Microsoft Azure
    • Alibaba Cloud
    • Google Cloud Platform
    • Vultr
    • Overview
    • AWS
    • Microsoft Azure
    • Alibaba Cloud
    • Google Cloud Platform
    • Vultr
    • Digital Ocean
    • Linode
    • Upcloud
    • Oracle
    • OVH
    • Digital Ocean
    • Linode
    • Upcloud
    • Oracle
    • OVH
  • Product
    • Plesk Features
    • Plesk Editions
    • What’s new
    • Pricing
    • Roadmap
    • Lifecycle Policy
    • Extensions Catalogue
  • Pricing
  • Extensions
    Featured Extensions
    • SocialBee
    • WP Toolkit
    • Sitejet Builder for Plesk
    • SEO Toolkit
    • Joomla! Toolkit
    • Premium Email
    • Email Security
    • SocialBee
    • WP Toolkit
    • Sitejet Builder for Plesk
    • SEO Toolkit
    • Joomla! Toolkit
    • Premium Email
    • Email Security
    Bundles and packs:
    • Business and Collaboration Edition
    • WP pack
    • Hosting pack
    • Power pack
    • Language pack
    • Business and Collaboration Edition
    • WP pack
    • Hosting pack
    • Power pack
    • Language pack

    See all Extensions

  • For Partners
    • Plesk Contributor Program
    • Plesk Partner Program
    • Affiliate program
    • Plesk University
  • Help Center
    • Documentation
    • Professional Services
    • Support
    • Contact Us
    • Wiki
    • Forum
  • Plesk 360 login
  • Free Trial
  • Pricing
  • Solutions
    • By Role
      • For Developers
      • For Content Managers
      • For Agencies
      • For IT Admins
      • For Web Hosters
    • By Infrastructure
      • Overview
      • Plesk on Amazon Web Services (AWS & Lightsail)
      • Microsoft Azure
      • Alibaba Cloud
      • Google Cloud Platform
      • Vultr
      • DigitalOcean
      • Linode
      • UpCloud
      • Oracle
      • OVH
  • Products
  • Pricing
  • Extensions
    • Featured Extensions
      • SocialBee
      • WP Toolkit
      • Sitejet Builder for Plesk
      • SEO Toolkit
      • Joomla! Toolkit
      • Premium Email
      • Email Security
    • Bundles and packs:
      • Business and Collaboration Edition
      • WP pack
      • Hosting pack
      • Power pack
      • Language pack
      • See all Extensions
  • For Partners
    • Plesk Contributor Program
    • Plesk Partner Program
    • Affiliate Program
    • Plesk University
  • Help Center
    • Documentation
    • Professional Services
    • Support
    • Contact Us
    • Wiki
    • Forum
  • Plesk 360 login
  • Free Trial
  • Pricing
  • Solutions
    • By Role
      • For Developers
      • For Content Managers
      • For Agencies
      • For IT Admins
      • For Web Hosters
    • By Infrastructure
      • Overview
      • Plesk on Amazon Web Services (AWS & Lightsail)
      • Microsoft Azure
      • Alibaba Cloud
      • Google Cloud Platform
      • Vultr
      • DigitalOcean
      • Linode
      • UpCloud
      • Oracle
      • OVH
  • Products
  • Pricing
  • Extensions
    • Featured Extensions
      • SocialBee
      • WP Toolkit
      • Sitejet Builder for Plesk
      • SEO Toolkit
      • Joomla! Toolkit
      • Premium Email
      • Email Security
    • Bundles and packs:
      • Business and Collaboration Edition
      • WP pack
      • Hosting pack
      • Power pack
      • Language pack
      • See all Extensions
  • For Partners
    • Plesk Contributor Program
    • Plesk Partner Program
    • Affiliate Program
    • Plesk University
  • Help Center
    • Documentation
    • Professional Services
    • Support
    • Contact Us
    • Wiki
    • Forum
  • Plesk 360 login
  • Free Trial
Plesk 360 login
Free Trial

Knowledge Base

Rest API vulnerability against the CSRF attack in Plesk

 
2022clicsrfhttpsinterface

Situation

Within the  "COMPROMISING PLESK VIA ITS REST API" article the Rest API vulnerability in Plesk was disclosed. This vulnerability identified is #PFSI-63762.

Using the means of social engineering an attacker is able to trick a user to navigate to a malicious html page which will execute a remote Plesk CLI command by the via the Rest API cli-gate on behalf of the user who is already authenticated in Plesk Rest API interface at https://203.0.113.2:8443/api/v2/cli/commands

Impact

In Plesk versions starting from Plesk 17.8 attacker can execute commands and/or alter settings including the change of the admin's password. 

98.4% of the Plesk servers had the extension updated automatically and were not impacted.

Fixes were delivered as follows:

  • For Plesk versions 18.0.26 and newer on July 5, 2022
  • For Plesk versions 17.8.10 - 18.0.25 in late Sep 26, 2022

Call to Action

The vulnerability was fixed in scope of the Rest API extension update.

Therefore in case the Daily Maintenance scheduled task isn't working on the server, the following steps should be taken to check if the vulnerability persists: 

  1. Connect to the server via SSH / Connect to the server via RDP
  2. Execute the next command(via cmd.exe in OS Windows):

    # plesk db "select name, version from Modules where name = 'rest-api'"

The Rest API version should be:

  • For Plesk version 18.0.26 and newer:
    1.5.9 or higher
  • For Plesk versions 17.8.10 - 18.0.25:
    1.4.8 or higher

If the version is lower than the aforementioned in the environment in question, it is needed to upgrade the Rest-API extension by executing the next command:

For Plesk version starting from 18.0.26

# plesk bin extension -g rest-api

For Plesk versions 17.8.10 - 18.0.25

# plesk bin extension --upgrade-url https://ext.plesk.com/packages/5d72bca6-ab97-4faf-89a4-5ea9ee5a4d1f-rest-api/download?1.4.8-197

Note: To have the Plesk server protected with the latest security updates it is recommended to keep the server up to date:
https://plesk-new.zendesk.com/hc/en-us/articles/12377055926551

Tweet
Share
Share
Email
0 Shares
Read the full article
Related Posts

The Comfortable Advantages of the Hosting Control Panel

Read More »

SSL Certificates and Web Security – A Guide

Read More »

Moving from HTTP to HTTPS 3: Troubleshooting and DIY solutions

Read More »
Knowledge Base

How to create an email account in Plesk

Read More »

 An operation fails in Plesk: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry ‘X’ for key ‘PRIMARY’

Read More »

Unable to open the “Updates and Upgrades” page or start Plesk Installer in CLI: Update operation was locked by another update process

Read More »

Updating Plesk or system packages on CentOS 8 server fails: Failed to download metadata for repo: Cannot prepare internal mirrorlist: No URLs in mirrorlist

Read More »

Hosting Wiki

  • RESTful Web Service
  • Cross Site Request Forgery (CSRF)
  • Content Security Policy ( CSP )
  • Cross-Origin Resource Sharing (CORS)
  • CLI
  • DBMS Interface
  • Server Redundancy
  • Postfix
  • PostgreSQL
  • DDoS
  • Bare Metal Server
  • Oracle VM Server
  • Server Virtualization Software
  • Windows Server
  • Linux
  • Hosting Control Panel
  • Plesk
  • NoSQL Database
  • Web Server
  • DNS Server
  • SSH
  • URL
  • Colocation Hosting
  • Reseller Hosting
  • Cloud Hosting
  • VPS Hosting
  • Dedicated Hosting
  • Shared Hosting
  • Free Hosting
  • Managed Hosting
  • HTTP
X-twitter Linkedin Youtube Reddit Github
  • Product
  • Login
  • Pricing
  • Editions
  • For Partners
  • Partner Program
  • Contributor Program
  • Affiliate Program
  • Plesk University
  • Company
  • Blog
  • Careers
  • Events
  • About Plesk
  • Our Brand
  • Resources
  • User and Admin guides
  • Help Center
  • Migrate to Plesk
  • Contact Us
  • Hosting Wiki
  • Forum
  • Legal
  • Legal
  • Privacy Policy
  • Imprint

© 2025 WebPros International GmbH

Part of the WebPros®  Family