Unofficial community notes for CVE-2026-29204: on clientarea.php?action=productdetails, a logged-in client can supply a foreign addonId with modop=custom and reach module context that does not belong to the session.
Upgrade first. Apply a vendor-patched WHMCS build (8.13.3 or 9.0.4 on supported branches). See the 8.13 and 9.0 change logs.
The hook in mitigation/ is a temporary, optional client-area guard. It is not a vendor patch and not a substitute for upgrading. Remove it after patching unless you keep a separate, documented policy.
cp mitigation/includes/hooks/cve_addonid_clientarea_guard.php /path/to/whmcs/includes/hooks/The hook checks addonId ownership against the session client and the service id on productdetails with modop=custom, then redirects foreign requests. It does not depend on client-area language strings. Blocked attempts are recorded in Utilities → Logs → Activity Log.
Provided as is, without warranty. Not affiliated with WHMCS. Use only on systems you own or are authorized to change. You are responsible for backups, testing, and compliance. The authors do not guarantee that this hook prevents abuse or replaces a vendor security update.