G’day,

WHMCS have been made aware of a security flaw (CRITICAL) in their software going back to v7.4.

As only v8.13 and v9.0 are supported, that’s all they’ve patched - and we have applied this now to all managed client installations, as well as my.Merlot 24/7 online self-service. They’re sunsetting v8.13 end of May 2026…

CVE-2026-29204 is a basic flaw, where no ownership check allows a client/user to “go sideways” to any addon:

“Insufficient ownership checks in clientarea.php allow an authenticated client area user to submit requests using another user’s addonId without any ownership validation leading to unauthorised access to the victim’s resources and their cPanel account.”

All Merlot-managed WHMCS installations are running v8.13.3, meaning you’re protected from this vulnerability.

Cheers,
Merlot Digital