Description
Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient ownership validation on the WHMCS client area page allows an authenticated client to submit a request specifying another user's addon identifier. The missing check lets the attacker gain access to the victim's cPanel resources and associated files, effectively bypassing authorization controls. This flaw is a classic example of CWE‑639, where user‑controlled input is not properly verified before use.

Affected Systems

The vulnerability affects WebPros' WHMCS product. Any configuration using the default client area implementation where 'clientarea.php' is exposed to authenticated users is susceptible. The issue specifically relates to operations involving addon identifiers submitted via HTTP requests. No specific version data is disclosed in the advisory.; therefore, support for earlier or unpatched versions remains uncertain.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical condition. While the EPSS score is not available, the lack of a public exploit‑related warning and the fact that the issue is not listed in CISA’s KEV catalog suggest the exploitability is high but not yet confirmed in the wild. Attackers must be authenticated users of the WHMCS client area to exploit this flaw, inferred from the description. Once authenticated, the attacker can manipulate the addonId parameter, bypassing ownership checks and gaining unauthorized access to the victim’s cPanel account and resources.

Generated by OpenCVE AI on May 13, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WHMCS update from WebPros as soon as a patch is released. This is the most effective remedy for the reported flaw.
  • Modify the server–side code handling addonId submissions in clientarea.php to enforce an ownership check, ensuring that the addonId belongs to the currently authenticated user before accepting the request. This directly addresses the root of the vulnerability.
  • Disable direct addonId access for authenticated users by removing or restricting the addon management functionality from the client area to administrators only.

Generated by OpenCVE AI on May 13, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Unauthorized cPanel Access via Missing Addon ID Ownership Verification in WHMCS

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account. Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Unauthorized cPanel Access via Missing Addon ID Ownership Verification in WHMCS

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account.
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-12T21:57:08.277Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29204

cve-icon Vulnrichment

Updated: 2026-05-12T21:12:59.156Z

cve-icon NVD

Status : Received

Published: 2026-05-12T18:16:51.030

Modified: 2026-05-12T22:16:33.300

Link: CVE-2026-29204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses