Okay so far I think blocking all requests containing addonId to clientarea.php is the solution until whmcs pushes out the update.

(Quote)

and ofcourse, this will block/break WHMCS end-user functionality.

Sorry, I thought maybe they shared some workaround on the whmcs discord. I have a version older than 8.1

WHMCS ownership rubbing their hands together every new exploit to get the few remaining owned license holders to change to subscriptions (Image)

good luck to the ones who are running whmcs 7.4 ish (Image)

The good thing, it seems like this can be blocked with a WAF rule, or even a WHMCS hook, from what I gather.

(Quote)

(Quote)

ASAP mean when the update is released ofc... the release will happen tomorrow 13 may as per the WHMCS email we got 1 hour ago..

(Quote)

(Quote)

You would know if you had read the email WHMCS has sent out to their customers.

WHMCS SECURITY 2.0 incoming??

Providers, prepare to patch this newest one in WHMCS this time.

Pretty sure Akash has sorted the OP, we'll see. Odd one, it for sure sounds like WHMCS went back and bit the OP a 2nd time.

(Quote)

(Quote)

or your stripe API keys are compromised, or your WHMCS is compromised and some bad actor is charging people's credit cards.

(Quote)