Articles in this section

What does Imunify notifications do in Plesk?
PHP settings do not apply on a domain when CageFS is enabled in CloudLinux
[CVE-2025-66431] Security vulnerability in domain creation mechanism allows Plesk users to execute arbitrary code on behalf of root
Generating CSR certificate under AlmaLinux 9 and AlmaLinux 10 does not save the Country, City and other fields from SSL certificate settings section
Plesk update fails: bind9 package is half-configured
Wrong $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME'] using Default Site in IP Addresses
Plesk / system update fails after dist-upgrade from Debian 11 to Debian 12: Depends: libodbc2 (>= 2.3.1) but it is not going to be installed
Accessing Apache & nginx settings in Plesk 18.0.72.0 returns error 500: Return value must be of type bool, null returned
Vulnerability CVE-2025-54336
Unable to open mail server configuration for a domain in Plesk UI: The label can only be a string
See more

Vulnerability Assessment and Penetration Testing scanner alerts a breach in Plesk

Benjamin Woellhardt

Updated April 22, 2026 13:38

kb: technical Plesk how-to

Symptoms

Vulnerability Assessment and Penetration Testing scanner alerts a breach in Plesk

Cause

AWS S3 IAM credentials are hardcoded in the Plesk pages

CONFIG_TEXT: Jsw.UAT.init({ ... ,"accessKeyId":"*********","secretAccessKey":"*****************************"," ... })

Resolution

Authentication is required to send data via Plesk User Activity Tracking. This function includes these credentials publicly in order to work as intended. This is not considered a vulnerability because the exposed account credentials have no harmful permissions — only anonymized technical data is gathered and sent via these credentials.

Disable this feature in order to pass vulnerability scanner checks:

How to disable Plesk User Activity Tracking

Comments

0 comments

Please sign in to leave a comment.