On August 2nd, 2016 we issued a security patch for the v6 series - http://blog.whmcs.com/?t=116515.
The following discloses the related security concern reported through our Security Bounty Program.
Under the condition of a man in the middle attack, it could be possible for an attacker in control of the MitM to pass tainted object specific data to the application. There then exists the potential for the object data to be consumed by normal operations and the theoretical possibility for unexpected...
Read more @ http://blog.whmcs.com/?t=119286