Skip to content

bogdanrotariu/cve-2026-29204-whmcs-clientarea-addonid

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2026-29204 — WHMCS client area addon guard

Unofficial community notes for CVE-2026-29204: on clientarea.php?action=productdetails, a logged-in client can supply a foreign addonId with modop=custom and reach module context that does not belong to the session.

Upgrade first. Apply a vendor-patched WHMCS build (8.13.3 or 9.0.4 on supported branches). See the 8.13 and 9.0 change logs.

The hook in mitigation/ is a temporary, optional client-area guard. It is not a vendor patch and not a substitute for upgrading. Remove it after patching unless you keep a separate, documented policy.

Install (optional bridge)

cp mitigation/includes/hooks/cve_addonid_clientarea_guard.php /path/to/whmcs/includes/hooks/

The hook checks addonId ownership against the session client and the service id on productdetails with modop=custom, then redirects foreign requests. It does not depend on client-area language strings. Blocked attempts are recorded in Utilities → Logs → Activity Log.

Disclaimer

Provided as is, without warranty. Not affiliated with WHMCS. Use only on systems you own or are authorized to change. You are responsible for backups, testing, and compliance. The authors do not guarantee that this hook prevents abuse or replaces a vendor security update.

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages