Primary

Context

WHMCS Insufficient Ownership Check Vulnerability in Client Area Allowing Unauthorized Access

Vulnerability

Patched

A vulnerability exists in WHMCS versions 7.4 and later, specifically within the Client Area. The issue arises from inadequate ownership checks in 'clientarea.php', which permit an authenticated user to submit requests using another user's 'addonId'. This lack of validation can lead to unauthorized access to the victim's resources and cPanel account.

Impact

Exploitation of this vulnerability could allow an authenticated WHMCS user to access and manipulate another user's account resources, including cPanel services, without authorization.

Remediation

Users must upgrade to WHMCS versions 9.0.4 or 8.13.3. WHMCS Cloud users do not need to take any action, as all Cloud-hosted installations have already been updated.

Added: May 12, 2026, 6:36 PM

Updated: May 12, 2026, 6:36 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

5.4

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

5.4

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WHMCS Insufficient Ownership Check Vulnerability in Client Area Allowing Unauthorized Access

Vulnerability

Impact

Remediation

Affected Products

WHMCS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating