That’s correct.
Unfortunately, on certain forums, it’s being referred to as a “WHMCS vulnerability”.
A bit like how people commonly say “WordPress is insecure” when a site is hacked, what they really mean most of the time is that the outdated and poorly written plugins attached to that WordPress website are insecure, and were responsible for that site being hacked.
Source link