On 3rd June 2025 we have released updates for all actively supported and long-term support (LTS) versions of WHMCS, namely v8.13, v8.12, and v8.11. These updates resolve a number of security vulnerabilities that have been identified as affecting all currently supported versions of WHMCS.
The majority of these vulnerabilities were discovered through routine internal security audits, while others were reported through our Security Bounty Program. Therefore we do not believe they are actively in use.
No updates will be issued for versions prior to v8.11.
What should you do next?
You should update WHMCS, either manually or using the Automatic Updater, as soon as possible. We recommend using the Automatic Updater and upgrading to the Latest Stable Version (8.13.1).
Update instructions
Please reference our documentation on Updating for in-depth step-by-step guidance.
What is included in the update?
The update resolves multiple security vulnerabilities, most notably XSS and CSRF. Changelogs have been provided for the respective versions with redacted titles:
In order to safeguard users who have not yet updated to the latest version, we are deliberately limiting the disclosure of specific technical details at this time.
Are there other mitigation options?
The update resolves a number of diverse issues, this means there are not alternative mitigation options to address them all. We recommend applying the update as soon as possible.
Are older versions affected?
Older versions may contain these vulnerabilities. We recommend using the Automatic Updater and upgrading to the Latest Stable Version (8.13.1).
No updates will be issued for versions prior to v8.11.
