• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Mail 'application user' has access to WPT by default

Kaspar

API expert
Plesk Guru
Username:

TITLE


Mail 'application user' has access to WPT by default

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Any OS
Plesk 18.0.56

PROBLEM DESCRIPTION

When creating an emailaccount a Plesk 'application user' user is created too. The 'application user' has access to the WPT of the domain by default. Which poses a security risk.

STEPS TO REPRODUCE

1) Create domain, upon creation choose to install Wordpress
2) Create an email account for the domain
3) Log out of Plesk, login back again with credentials of mail user from step 2
4) Notice how user has access to the WPT and can modify settings

ACTUAL RESULT

Application users have access to WPT.

EXPECTED RESULT

Application users should not have access to WPT.

ANY ADDITIONAL INFORMATION

Could not reproduce issue on 18.0.54 server, but can on 18.0.56.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Last edited:
The issue has been confirmed, but for version 18.0.56 only. Tracking-IDs PPM-14172, PPP-62890. Workaround:
1) Backup /usr/local/psa/admin/plib/pm/Client.php to /usr/local/psa/admin/plib/pm/Client.php.bkp
2) Replace /usr/local/psa/admin/plib/pm/Client.php with the same file from version 18.0.55
 
2) Create an email account for the domain
by the way, I very much dislike that "Can be used to log in to Plesk" is checked by default. Giving a user more rights should be a conscious decision, not a forgotten default.
 
Back
Top