WHMCS has released new patches for the 4.5, 5.0, 5.1 and 5.2 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.
WHMCS has rated these updates as including critical or important security impacts. Information on security ratings is available at https://docs.whmcs.com/Security_Levels.
The following full-release versions of WHMCS have been published and address all known vulnerabilities:
The latest public releases of WHMCS are available inside our member's area at https://www.whmcs.com/members/clientarea.php
Security Issue Information
The Targeted Security Release and Patch updates for 4.5, 5.0, and 5.1 resolve an issue of unsanitized information being used in a SQL query. Using a crafted URL, an attacker could perform an SQL Injection.
The Targeted Security Release and Patch update for 5.2 addresses a security enhancement regression discovered in 5.2.3 and 5.2.4. This regression is not related to the itemized vulnerability mentioned for 4.5, 5.0, and 5.1. The regression was identified internally and is not a candidate for public disclosure.
Mitigation WHMCS Version 4.5
Download and apply the appropriate patch files to protect against these vulnerabilities.
Patch files for affected version of the 4.x series is located on the WHMCS site as itemized below.
v4.5.5 (patch only) - https://www.whmcs.com/download/302/v455patch
To apply the patch, simply download the appropriate patch file specific to the WHMCS version you are running, extract the contents, and upload the files from the /whmcs/ folder to your installation.
No install or upgrade process is required. WHMCS Version 5.x
Download and apply the appropriate full-version or patch of WHMCS to protect against these vulnerabilities.
Patch files for affected version 5.x are located on the WHMCS site as itemized below. A full-version of 5.2.5 is located in the WHMCS member's area download section, under your license details.
v5.0.6 (patch only) - https://www.whmcs.com/download/306/v506patch
v5.1.7 (patch only) - https://www.whmcs.com/download/310/v517patch
v5.2.5 (patch only) - https://www.whmcs.com/download/314/v525patch
v5.2.5 (full-version) - Available in the members area
When updating from v5.0.5, v5.1.6, or v5.2.4 you can use the patch file and the upgrade process is not required. Simply download the appropriate file specific to the WHMCS version you are running, extract the contents, and upload the files from the /whmcs/ folder to your installation.
If running any other version you should apply the full-version, simply download the file from our member's area and then follow the regular upgrade instructions which can be found at https://docs.whmcs.com/Upgrading
*This Security Advisory is in the process of being emailed to all active license holders.*
Liked this article? Share it