Full title: WHMCS Group Pay Plugin 1.5 (grouppay.php, hash param) - SQL Injection 
Category: web applications
Platform: php
We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.

# 0day.today @ http://0day.today/