PT-2026-40319 · Whmcs · Whmcs
Published
2026-05-12
·
Updated
2026-05-21
·
CVE-2026-29204
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
WHMCS versions 7.4 through 8.13.2
WHMCS versions 9.0 through 9.0.3
Description
Insufficient ownership checks in the 'clientarea.php' endpoint allow an authenticated client area user to submit requests using another user's
addonId without ownership validation. This leads to unauthorized access to the victim's resources and their cPanel account.Recommendations
Update to version 8.13.3.
Update to version 9.0.4.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Whmcs