Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.
Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.
Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.
An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.
Parallel's Plesk Panel advisory states the following workaround:
Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.
This document was written by Michael Orlando.