I was trying to create a hook to query an external source when a user does not exist:
add_hook("ClientLoginShare",1,"hook_login_user_from_ldap");
Then I removed that piece of code (Now it's the original whmcs without any modifications).
But now whatever password I enter for a user, it logs in! How can this be and what I'm supposed to do?
The records for the users in db seem to be correct and untouched:
email: [email protected]
password: fdc586a75dabee47810667b735a85e25:%cidv
(original password: abc1235)
OK, I found out when this occurs. When an admin is logged in at the same session from admin panel, every user with every password can log in from the user panel!
I don't know why this happens, but now at least I can avoid it.