New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WHMCS CVE Patch (CVE-2026-29204)
SilverCreek
Member, Patron Provider, Megathread Squad
Providers, prepare to patch this newest one in WHMCS this time.
CVE: CVE-2026-29204
Email:
Hello <snip>,
Tomorrow, May 13, 2026, we will be releasing an important maintenance update for the WHMCS 9.0 and 8.13 series. This release addresses a security vulnerability (CVE-2026-29204) which has been identified in WHMCS 7.4 and later.
Recommended versions with required updates are WHMCS 9.0.4 and WHMCS 8.13.3 - and will be available at 19:00 PM GMT, Wednesday, May 13, 2026.
Comments
PSA: shit software is still shit software please update shit software to newest version of shit software
10.0 dang, not even my waifu scores that high.
@Dasabo important
WHMCS SECURITY 2.0 incoming??
reminds me of 2023 when all whmcs instances running broken themes were getting breached
Thank you for the quote, we are doing the update asap.
First of all, you can't do the update ASAP.
You would know if you had read the email WHMCS has sent out to their customers.
It is a notification, so everyone knows it's an important security update, and can update the second the version update is released.
Hey, do you know what
Pstands for in ASAP?:-D
Please go away. I misread it as now.
ASAP mean when the update is released ofc... the release will happen tomorrow 13 may as per the WHMCS email we got 1 hour ago..
Yeah, I know.
I am tired and misread you reply.
I think i will call it a day before I make more fuckups.
LOL
It's already public:
https://sec.kaitan.id/cves/CVE-2026-29204
Here's the 8.13 fix from their forums.
https://cdn.discordapp.com/attachments/261222573508001793/1503839614085890168/whmcs_v8.13.0-supporthotfix.2_aaed4fe.220_WHMCS-22228_homepage-layout.zip?ex=6a04cf47&is=6a037dc7&hm=78fd23df0692249c4ccfc880b7811b83f11db1d950fb889e866497fc691c1428&;
Francisco
The good thing, it seems like this can be blocked with a WAF rule, or even a WHMCS hook, from what I gather.
@MikeA Mind a share mod_security rule or hook? I don't have access to discord.
I doubt that you can block with a WAF rule, as its just an IDOR, would be hard to match.
I think it might be possible with a hook, not sure.
good luck to the ones who are running whmcs 7.4 ish
WHMCS ownership rubbing their hands together every new exploit to get the few remaining owned license holders to change to subscriptions
not sure what discord you're referring to, but I don't have a rule. Either way since there is a patch available for 8.13 per francisco above it's definitely better to just swap the single file out.
Sorry, I thought maybe they shared some workaround on the whmcs discord. I have a version older than 8.1
Temporarily block all requests containing addonId to clientarea.php
and ofcourse, this will block/break WHMCS end-user functionality.
This and look at this shit.
Wow.
Date on this is May 13, 2025, you sure?
Whoops. i think he missed the year.
Okay so far I think blocking all requests containing addonId to clientarea.php is the solution until whmcs pushes out the update.
Anyone else with any ideas that could help temporarily monkey patch this?
You're right, I had seen clientarea.php and assumed it was the patch.
I can't seem to find any hotfix download anywhere, so, wonderful.
Francisco
Temporary mitigation for WHMCS CVE-2026-29204: this hook remove exposure to addon/service ownership abuse until the official WHMCS patch is released. Remove it after applying the vendor update.
https://hastebin.com/share/mafikogozu.php
They released the patch officially.
https://download.whmcs.com/
We've gone with this patch for now, but changed the hook from ClientAreaPage to ClientAreaProductDetailsPreModuleTemplate. The latter hook runs before the code we believe is bad, whereas ClientAreaPage runs after and may be too late.
ClientAreaProductDetailsOutputis the better one to hook onto. The PreModuleTemplate is a bit funky.ClientAreaProductDetailsOutputseems fine too, yes.This is the version we have with a few changes from the other link, such as only running when
modopandaddonIdpresent in the request. https://hastebin.com/share/irovuhucey.phpThey appear to have released the patch already.
What about Version: 7.0.3 ?
No support/updates left