Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017.
Call to Action
Roundcube was updated from version 1.2.5 to 1.2.7 in Plesk Onyx, please consider an upgrade as soon as possible:
Plesk team is also working on the update for Plesk 12.5. For now, it's recommended to use Horde webmail until the issue is fixed.
Note: Roundcube may not work after the update. Please refer to Roundcube is unable to send attachments in emails after the latest update for a workaround.