• We value your experience with Plesk during 2025
    Plesk strives to perform even better in 2026. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2025.
    Please take this short survey:
    https://survey.webpros.com/
  • On Plesk for Linux mod_status is disabled on upgrades to improve Apache security.
    This is a one-time operation that occurs during an upgrade. You can manually enable mod_status later if needed.

Issue Unauthorized Extension Installations — Request for Clarification

F

Fede Marsell

Basic Pleskian
Server operating system version
AlmaLinux release 8.10
Plesk version and microupdate number
18.0.74
Why are extensions being installed on servers without explicit authorization?

Following the previous security incident related to the unauthorized installation of Immunify (Issue - Important: Imunify auto installation and possible data leak), we are now facing another unexplained case.

The Joomla extension has installed itself automatically — without any manual action or approval from our side.

This is extremely concerning.

For clarity, our configuration explicitly disables automatic extension installation. In panel.ini, we have:

[ext-catalog]
extensionAutoInstall = false

Despite this setting being in place, the extension was installed anyway.

From a technical and security perspective, this raises serious concerns:
  • Why is Plesk installing extensions when auto-installation is explicitly disabled?
  • Is this behavior intentional?
  • Does Plesk override panel.ini settings under certain conditions?
  • What mechanism allows this to happen?
  • How can we guarantee that no further components will be deployed without administrator consent?
An extension installation is not a minor event. It modifies the production environment and introduces executable code into the system. Under standard security policies, this would be classified as an unauthorized change.

At this point, the Extensions system appears to represent a potential security risk if software can be deployed remotely regardless of administrator configuration.

We require a clear technical explanation and a definitive method to prevent this from happening again.
 
Hi, @Fede Marsell . The installation was performed due to the upcoming APS Catalog deprecation. Joomla! Toolkit is being installed on servers with Joomla! websites to preserve the ability to manage Joomla! instances through the Plesk interface. The Joomla Toolkit is Plesk component and we constantly change the code of Plesk itself also with every Plesk update.

Regarding the snippet you have in panel.ini, the same is effective for controlling if extension can be automatically installed in case the license for the extension is present on the server. It does not prevent rollouts of core Plesk extensions. Thus, in this particular case it is expected.

The only way for is to completely block the extension according to the following guide:

 
You must log in or register to reply here.

Similar threads

F
Issue Important: Imunify auto installation and possible data leak
2
Replies
26
Views
10K
Fede Marsell
F
C
Question Strategic questions
Replies
9
Views
6K
mow
M
G
Question WP installs are quarantined daily.
Replies
4
Views
3K
Bobbbb
B
Automata
  • Poll
Input FEATURE REQUEST: Add SSH2 extension to PHP default extensions to improve security.
Replies
2
Views
4K
Automata
Automata
T
Forwarded to devs 3rd time: upgrading extension to paid version > disables auto updates and mail management
Replies
4
Views
2K
IgorG
IgorG
Back
Top