CVE-2026-29204

Summary

Insufficient ownership check in clientarea.php allows an authenticated client area user to submit requests using another user’s addonId without any ownership validation leading to unauthorized access to the victim's account.

Affected Software

VendorProductVersion RangeStatus
WebProsWHMCS7.4.0 <= 18.12.2affected
WebProsWHMCS18.13.0 < 18.13.3affected
WebProsWHMCS9.0.0 < 9.0.4affected

Weaknesses

  • CWE-639: CWE-639 Insecure Direct Object Reference (IDOR)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References