An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS.

We have published new releases for active and LTS versions of WHMCS (v8.7 and v8.6) as well as a patch for EOL versions v8.5. Patches will not be released for any earlier versions of WHMCS.

These issues were reported via our Security Bounty Program. Further details about these issues will not be disclosed at this time.

You should update WHMCS, either manually or using the Automatic Updater, as soon as possible. We recommend using the Automatic Updater.

Automatic Update Steps

1. Login to your WHMCS Admin Area.
2. Navigate to Utilities > Update WHMCS.
3. Click Check Now to check for updates. When the check completes you will see a new version is available.
4. Click the Update Now button and follow the wizard based steps.

If you are on 8.6.0 or 8.6.1 and want to only automatically update to the 8.6.2 revision, you can configure the Updater to only filter for your 'Current Version' (ie, 8.6.x): Before performing step 3 above, click Configure Update Settings, then select the 'Current Version' Update Channel, click the Save Changes button and proceed to step 3.

You may reference the Automatic Updater for more a detailed description of the update utility. Likewise, you may reference our article on Updating for more in-depth guidance.

Manual Update Steps

1. Visit https://download.whmcs.com/
2. If you are running the immediately preceding version, you can update using the Incremental Patch Set. Select this tab and then choose the appropriate patch for your given version.
3. If you are running any earlier version of WHMCS, you will need to download and update using the full release package for your desired version.
4. Once you have downloaded the appropriate update file, follow the steps within the Readme file to perform the update process.

Patch Steps [for users of 8.5.2]

1. Download the patch here: https://www.whmcs.com/download/1709/security_patch_852_2023-06-20.zip.
2. Extract the files from the zip folder download.
3. Upload the files from the whmcs/ directory of the zip to the root directory of your WHMCS installation to complete the process.

(NOTE: Since this is a patch level update only, there will be no visible change in version number reflected within your WHMCS installation)

The update includes a resolution for a security issue as well as an important assertion related to applying payment. Changelogs have been provided for the respective versions with redacted titles:

• 8.6.2 Changelog
• 8.7.3 Changelog

If you have any issues updating your WHMCS installation or applying the patch, you can contact our support team at www.whmcs.com/submit-a-ticket