Contrary to what Ars reported earlier, Plesk representatives responded promptly to requests for comment. Those responses were blocked by a spam filter. On Thursday morning, the company's vice president of shared hosting and control panels, Craig Bartholomew, told Ars that Plesk version 9.5.4 is not vulnerable, contradicting claims from kingcope that it is susceptible.
"Starting with Plesk 9.3, we have a CGI wrapper that deflects such calls to Apache," Bartholomew said. "You can't get directly to Apache this way. Our understanding is this vulnerability affects 4 percent of all Plesk installatons that we know of."
Bartholomew went on to say the attack code exploits the below-referenced CVE-2012-1823 vulnerability, but does so "with a twist."