Because, if the WHMCS module is audited and Virtualizor is audited and no flaws are found, probably may not be something in one or the other... but in the middle.

That’s not hard to automate. Virtfusion WHMCS module stores relation to VF user & server in the SQL. Creating accounts is easy with the API.

(Quote)

(Quote)

We found a Virtualizor bug before, if a client VPS record exists in WHMCS virtualizor plugin, but vpsid=0 (Happens when migrate from other panel or VPS delete callback failed sometimes) , if the user

(Quote)

The WHMCS module for Virtualizor has been heavily scrutinized and the source code is available for everyone to look at. I am still waiting for someone to provide actual proof that an exploit exists vi

(Quote)

It seems indeed there is something like 0-day for the terminal function within VIrtualizor admin. (No the whmcs plugin is not involved)

(Quote)

Situation is curious. A lot of folks are using virtualizor and almost everyone is using WHMCS if that combination is what creates the attack vector. But not everyone is getting pwnd. Mostly the rea

I’ve also had this issue as I’ve replied on CloudCone regarding this. I’ve had 4 providers contact me personally after I replied on the other thread who had this same issue but didn’t go public about

There are credible reasons to suspect there's a vulnerability in the Virtualizor WHMCS module, which is under active exploitation and has affected multiple hosts: https://www.virtualizor.com/docs/bill

I think, the worst module could do, is leaking api keys and this can be mitigated by restricting IPs in Virtualizor settings which can use the keys. Also WHMCS/Blesta modules are open source, so it's

(Quote)

Just comming to mind, but think its not possible, to list used panels from every host. Ex: WHMCS Blesta Virtualizor Virtfusion and so on. Think its a risk.

(Quote)

(Quote)

@ouiheberg claimed to have reproduced the hack and that the vector was the "Virtualizor-WHMCS addon".

(Quote)