Leaderboard

Targeted Security Releases have been published for our Current and Long Term Support versions (8.7 and 8.6) Owned License holders will be able to auto-update to 8.7.3 or 8.6.2, if your Support & Updates was active during those releases. We have also exceeded our Long Term Support policy by providing a patch for 8.5, because it recently reached End of Life. Users can apply if your Support & Updates was active during the 8.5 release. We do not recommend running an End of Life version of WHMCS for this reason. However on this occasion, if you're running an older End of Life version, please contact support and we can assist: https://www.whmcs.com/submit-a-ticket/

Hi all, I found a post from 2016 with the following code, which no longer works. What changes would be made to allow it to work with the current code ? Original thread - <?php if (!defined("WHMCS")) die("This file cannot be accessed directly"); function hook_ForceEveryoneToLogin($vars) { $clientID = intval($_SESSION['uid']); $adminID = intval($_SESSION['adminid']); if ($adminID===0){ if (!in_array($vars['filename'], array("login","dologin","clientarea","pwreset", "register")) && $clientID===0){ header("Location: login.php"); exit; } } } add_hook("ClientAreaPage", 1, "hook_ForceEveryoneToLogin");

WHMCS have just sent a notice regarding an exploit that affects all versions of WHMCS. Sadly, it seems that owned license holders are exempt from receiving critical patches? I was a happy paying customer who paid their $99 per year for support and updates until the massive shift, and now I've been left in the dark. Can WHMCS staff kindly review this considering the impact of this matter, had this exploit been identified during the time in which I had paid for support a patch would have been released and further to this, the fact that the exploit affects all versions of whmcs means that this exploit existed when I had active support.

Hi @websavers, As a Targeted Security Release, we did not include any maintenance updates. You can re-apply the CORE-18608 hotfix for support ticket statuses after updating to 8.7.3.

/images/whmcs_blog.png An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS. We have published new releases for active and LTS versions of WHMCS (v8.7 and v8.6) as well as a patch for EOL versions v8.5. Patches will not be released for any earlier versions of WHMCS. These issues were reported via our Security Bounty Program. Further details about these issues will not be disclosed at this time. What should I do?You should update WHMCS, either...View the full blog post

You can use this: <?php use WHMCS\Authentication\CurrentUser; use WHMCS\Config\Setting; add_hook('ClientAreaPage', 1, function ($vars) { $user = new CurrentUser; $templateFile = $vars['templatefile']; if(!$user->isAuthenticatedUser and !in_array($templateFile, ['login', 'dologin', 'pwreset', 'register', 'clientarea'])) { $systemURL = Setting::where('setting', 'SystemURL')->first(); $systemURL = $systemURL->value; if(!str_ends_with($systemURL, '/')){ $systemURL = $systemURL.'/'; } header("Location: {$systemURL}login.php"); exit(); } });