WHMCS 24/10/2013 Vuln


Well-Known Member
Verified Provider
Put this in configuration.php to patch it:

if(isset($_REQUEST['invoiceids']) && is_array($_REQUEST['invoiceids'])) { die('no'); }
Last edited by a moderator:


VPS Peddler
Verified Provider
Just a little note, this post was posted at 01:01:01 AM +0000 October 25th 2013 - So there may be something more sinister in the making.


Verified Provider
Yeah, desire to build a WHMCS replacement rising.
There remains the promise of but no word on progress at all. And then there's Blesta, which has promise w/the participation of 3rd party developers, yet w/o that is still pretty much just a billing platform for webhosting.

HostBill works nicely, when it works at all, and if you're really daring you can even take a chance on destroying your entire business each week by performing updates, which usually break something else that was previously working, but only a fool would consider that app now.

I'm actually considering going back to a simple script based system much like - or at least re-deploying under a different brand for those services.


New Member
New patch was released but the version number doesn't change after updating.

I guess they're paying "so much attention" to fixing the issue that they "accidentally forgot" about the version number.

Even minor issues like this (version number) are overlooked, its really unsafe to continue using WHMCS.
Last edited by a moderator: