"Successful exploitation requires a ScriptAlias [configuration] for the php path using Apache's mod_alias," vulnerability management firm Secunia said Thursday in an advisory that rates the vulnerability as highly critical. That specific configuration is scriptAlias /phppath/ "/usr/bin/", according to Kingcope's exploit notes.
However, it's not clear how commonly this configuration is found in real world Plesk deployments. Two users who posted responses to Kingcope's email to the Full Disclosure mailing list said that they couldn't get the exploit to work because they couldn't find the phppath-related setting on Plesk installations they tried it on.
Sign up for CIO Asia eNewsletters.