There is a security vulnerability in WHMCS v5.2.10 which allows to access any invoice which does not belong to client. WHMCS has advised to disable “Mass Pay” option.
You can disable it from Setup > General Settings > Invoices > de-select “Enable Mass Payment” option and save it.
As I am writing this, they have yet not released any patch. You can monitor their official blog (http://blog.whmcs.com/). The blog will be updated as soon as they release a patch.
A patch was released immediately by WHMCS. Depending on your WHMCS version, you can either use a patch set or full upgrade. You can refer our article on how to upgrade WHMCS for complete steps and guideline.