• Inviting everyone who uses WordPress management tools in Plesk
    The Plesk team is conducting a 60-minute research session that includes an interview and a moderated usability test.
    To participate, please use this link .
    Your experience will help shape product decisions and ensure the tools better support real-world use cases.

Issue Unauthorized Extension Installations — Request for Clarification

F

Fede Marsell

Basic Pleskian
Server operating system version
AlmaLinux release 8.10
Plesk version and microupdate number
18.0.74
Why are extensions being installed on servers without explicit authorization?

Following the previous security incident related to the unauthorized installation of Immunify (Issue - Important: Imunify auto installation and possible data leak), we are now facing another unexplained case.

The Joomla extension has installed itself automatically — without any manual action or approval from our side.

This is extremely concerning.

For clarity, our configuration explicitly disables automatic extension installation. In panel.ini, we have:

[ext-catalog]
extensionAutoInstall = false

Despite this setting being in place, the extension was installed anyway.

From a technical and security perspective, this raises serious concerns:
  • Why is Plesk installing extensions when auto-installation is explicitly disabled?
  • Is this behavior intentional?
  • Does Plesk override panel.ini settings under certain conditions?
  • What mechanism allows this to happen?
  • How can we guarantee that no further components will be deployed without administrator consent?
An extension installation is not a minor event. It modifies the production environment and introduces executable code into the system. Under standard security policies, this would be classified as an unauthorized change.

At this point, the Extensions system appears to represent a potential security risk if software can be deployed remotely regardless of administrator configuration.

We require a clear technical explanation and a definitive method to prevent this from happening again.
 
Hi, @Fede Marsell . The installation was performed due to the upcoming APS Catalog deprecation. Joomla! Toolkit is being installed on servers with Joomla! websites to preserve the ability to manage Joomla! instances through the Plesk interface. The Joomla Toolkit is Plesk component and we constantly change the code of Plesk itself also with every Plesk update.

Regarding the snippet you have in panel.ini, the same is effective for controlling if extension can be automatically installed in case the license for the extension is present on the server. It does not prevent rollouts of core Plesk extensions. Thus, in this particular case it is expected.

The only way for is to completely block the extension according to the following guide:

 
You must log in or register to reply here.

Similar threads

F
Issue Important: Imunify auto installation and possible data leak
2
Replies
26
Views
11K
Fede Marsell
F
Hangover2
Critical security issue fixed on 24–25 February 2026 (Plesk Obsidian 18.0.75 Update 1 / 18.0.76 Update 2) — request for vulnerability details
Replies
4
Views
1K
Hangover2
Hangover2
C
Question Strategic questions
Replies
9
Views
7K
mow
M
G
Question WP installs are quarantined daily.
Replies
4
Views
4K
Bobbbb
B
Automata
  • Poll
Input FEATURE REQUEST: Add SSH2 extension to PHP default extensions to improve security.
Replies
2
Views
4K
Automata
Automata
Back
Top