in Break-Fix, Business, Security

WHMCS and the AES_ENCRYPT vulnerability / exploit. Hooks to stop AES_ENCRYPT account registration

In case you’ve been out for a while, an WHMCS exploit surfaced about a week or so ago. It’s a SQL injection attack that leads to a full compromise of a WHMCS installation. First things first, head out to WHMCS to get the patch and apply it right away. This hook will NOT protect you against the exploit. This hook will merely prevent some sign ups that attempt to exploit the vulnerability. It’s essentially there so you don’t waste too much time deleting fake AES_ENCRYPT sign up accounts.

WHMCS hooks, to be nice, aren’t easy to work with. Be sure to change the email suffix $values[“email”]  to your own (just in case).


function hook_validate_aesencrypt($vars) {

if (!isset($vars)) {

$vars_str = implode($vars);

if (strpos($vars_str, “AES_ENCRYPT”) !== False) {
$command = “updateclient”;
$adminuser = “whmcs_admin”;
$values[“email”] = $vars[’email’] . “no_soup_for_you”;
$values[“clientid”] = $vars[‘userid’];
$results = localAPI($command, $values, $adminuser);


function hook_validate_aesencrypt_pre($vars) {

if (!isset($_POST)) {

$post_str = implode($_POST);

if (strpos($post_str, “AES_ENCRYPT”) !== False) {
$error_msg = “Registration denied”;
return $error_msg;


add_hook(“ClientDetailsValidation”, 1,”hook_validate_aesencrypt_pre”);
add_hook(“ClientAreaRegister”, 1,”hook_validate_aesencrypt”);
add_hook(“ClientEdit”, 1,”hook_validate_aesencrypt”);
add_hook(“ClientAdd”, 1,”hook_validate_aesencrypt”);

add_hook(“ClientChangePassword”, 1,”hook_validate_aesencrypt”);