The vulnerability that was posted publicly on a blog by “localhost” on October 3 allows malicious user to inject SQL commands.
By that zer0-day, any malicious minded user will be able to get information of existing WHCMS accounts. Hashed passwords can be obtain leading to compromised admin account.
What only needed is a valid existing user of the software WHCMS.
“The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information,” blogpost of WHCMS reads.
All versions of WHCMS softwares are affected but only versions 5.1 and 5.2 are provided patch as part of its accordingly “Long Term Support Policy.”