WHMCS has released a patch for the 5.2 and 5.1 minor releases, after a vulnerability was detected by user ‘localhost’ and reported by several users on WebHostingTalk on Thursday morning.
Users are encouraged to update their WHMCS installations immediately, WHMCS says, as the updates have “critical security impacts.”
A critical security impact is the highest security level WHMCS uses to classify security issues discovered in its product. According to its website, “a critical rating applies to vulnerabilities that allow remote, unauthenticated access and code execution, with no user interaction required. These would allow complete system compromise and can easily be exploited by automated scripts such as worms.”
While all versions of WHMCS are affected by this vulnerability, only 5.1 and 5.2 will be provided updates per its Long Term Support Policy, under which WHMCS provides Active Development for major and minor versions of WHMCS. Versions that aren’t under Active Development won’t receive maintenance releases but are candidates for Targeted Critical and Security Releases, according to the policy page on its website.
WHMCS v5.2.8 and v5.1.10 have been published to address a specific SQL injection vulnerability and allows an attacker with a valid login to the installed product to create a SQL injection attack.
More information on how to apply a patch can be found on the WHMCS website, and all active WHMCS license holders should have received the security advisory via email.
This week WHMCS and cPanel were in New Orleans for the cPanel Conference, where speakers discussed everything from how to run a successful hosting business to what’s new in cPanel version 11.40, including IPv6 and 1:1 NAT support.