https://blog.kalfaoglu.net/tags/idor/Recent content in Idor on kalfaoglu.netHugoenSun, 17 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-17-whmcs-cve-2026-29204-idor-en/Sun, 17 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-17-whmcs-cve-2026-29204-idor-en/<p>If you run WHMCS and haven&rsquo;t updated in the past week, stop reading and go do that first. Back? Good. Here&rsquo;s what you just patched.</p> <h2 id="what-the-vulnerability-is">What the Vulnerability Is</h2> <p>On 12 May 2026, WHMCS published <a href="https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204">CVE-2026-29204</a> — an authorization bypass rooted in <code>clientarea.php</code>. The flaw is textbook IDOR (Insecure Direct Object Reference, classified as <a href="http://cwe.mitre.org/data/definitions/639.html">CWE-639</a>): when a client area user submits a request that includes an <code>addonId</code> parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user&rsquo;s <code>addonId</code>, and you walk straight into their services.</p>