Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017.
Call to Action
Roundcube was updated from version 1.2.5 to 1.2.7 in Plesk Onyx, please consider an upgrade as soon as possible:
For the earlier versions it's recommended to use Horde webmail instead.
Note: Roundcube may not work after the update. Please refer to Roundcube is unable to send attachments in emails after the latest update for a workaround.