It turns out the my experiences with poor security and poor customer service at whmcs are not the exception. It didn’t take long to find out that whmcs has a repeated pattern of poor security and poor customer service. They routinely deny security issues exist and only act when an vulnerability is disclosed publicly. I finally got a “senior” technician to answer and the answer I received:
Thanks for contacting WHMCS support.
This is not an error generated by WHMCS, but rather, is a server-side issue.
A Web server may return a 403 Forbidden HTTP status code in response to a request from a client for a Web page or resource to indicate that the server refuses to allow the requested action. In other words, the server can be reached, but the server declined to allow the requested access.
A typical request that may receive a 403 Forbidden response is a GET for a Web page, performed by a Web browser to retrieve the page for display to a user in a browser window. The Web server may return a 403 Forbidden status for other types of requests as well.
The Apache Web server returns 403 Forbidden in response to requests for URL paths that correspond to filesystem directories, when directory listings have been disabled in the server. Some administrators configure the mod_proxy extension to Apache to block such requests, and this will also return 403 Forbidden. Microsoft IIS responds in the same way when directory listings are denied in that server. In WebDAV, the 403 Forbidden response will be returned by the server if the client issued a PROPFIND request but did not also issue the required Depth header, or issued a Depth header of infinity.
There can be many reasons for such an error, including, but not limited to:
If you are uncertain of how to resolve this particular issue, you should contact your system administrator and/or Web host.
The same boilerplate response I got when I first brought this up. I do not have the time to do security research for a company that is only interested in taking my money.