WHMCS 4.X Security Patch
Over the weekend, an anonymous user reported a potential issue affecting 3 specific pages of the admin area. This may enable malicious individuals to either create announcements/to-do list entries or inject sql. While they do all rely on the malicious users having already gained admin access to be able to utilise, given the potential for CRSF it was felt that the risk is real enough to require an immediate patch be released for it.
There are 3 files contained in the patch, all belonging to the admin area, which simply need to be uploaded to the admin directory to take effect. The patch is attached to this post and available for download via the client area. There is no install or upgrade script, and no version incrementation as these files are compatable with all V4.x releases.
We are not aware of any install that has been compromised by this or it having been disclosed at the current time. And this proactive patch should negate any risks from it. However if anybody has any questions or concerns then please feel free to contact us. We apologise for any inconvenience.
EDIT: The files in this patch have been applied to the V4.5.1 release download and the V4.5.2 bug fix roll-up update due out later this week will also include them.