I just read this one from SWsoft forum.

There is a SQL injection vulnerable security hole exists on Plesk 8.x.x. Yes, it’s even on 8.2.0, which is the latest stable version.

It’s /usr/local/psa/admin/plib/class.Session.php.

Here’s the fix.