Title: insecure include code
Last modified: August 31, 2016

---

# insecure include code

 *  [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/insecure-include-code/)
 * It was brought to my attention that your theme uses an insecure method to include
   CSS from other plugin files. I have seen my exploits involving malicious PHP 
   code in CSS files, this is only a problem if those files are referenced by an
   include statement because the include function executes PHP code.
 * Example from line 1999-2000 of css.php:
 *     ```
       if (function_exists('wp_pagenavi')) {
       include (WP_PLUGIN_DIR.'/wp-pagenavi/pagenavi-css.css');
       ```
   
 * This statement could also cause a PHP error if the folder for the wp-pagenavi
   plugin was renamed or if another plugin uses a function called “wp_pagenavi”.
   To fix both the bug and the security vulnerability here you should change this
   code (and all the other lines like it) to something like this:
 *     ```
       if (is_file(WP_PLUGIN_DIR.'/wp-pagenavi/pagenavi-css.css') && function_exists('wp_pagenavi')) {
       echo file_get_contents(WP_PLUGIN_DIR.'/wp-pagenavi/pagenavi-css.css');
       ```
   
 * Please let me know if intend to fix this issue or if you need any help with with
   any of this.
 * Aloha, Eli

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [Christi Nickerson](https://wordpress.org/support/users/christini/)
 * (@christini)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/insecure-include-code/#post-6967464)
 * Hi Eli,
 * This is a public forum, security vulnerabilities should be reported privately
   so issues can be addressed before being released publicly.
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [10 years, 4 months ago](https://wordpress.org/support/topic/insecure-include-code/#post-6967465)
 * That’s not so much as a vulnerability more of a bad practice/idea. CSS should
   be enqueued, using `include` isn’t a good idea for the reasons Eli mentioned.
 *  [Christi Nickerson](https://wordpress.org/support/users/christini/)
 * (@christini)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/insecure-include-code/#post-6967479)
 * Good to know Jan. Thanks for the clarification. Glad this wasn’t truly an exploit/
   security vulnerability being posted in a public forum 🙂

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘insecure include code’ is closed to new replies.

 * ![](https://i0.wp.com/themes.svn.wordpress.org/atahualpa/3.7.24/screenshot.png)
 * Atahualpa
 * [Support Threads](https://wordpress.org/support/theme/atahualpa/)
 * [Active Topics](https://wordpress.org/support/theme/atahualpa/active/)
 * [Unresolved Topics](https://wordpress.org/support/theme/atahualpa/unresolved/)
 * [Reviews](https://wordpress.org/support/theme/atahualpa/reviews/)

 * 3 replies
 * 3 participants
 * Last reply from: [Christi Nickerson](https://wordpress.org/support/users/christini/)
 * Last activity: [10 years, 4 months ago](https://wordpress.org/support/topic/insecure-include-code/#post-6967479)
 * Status: not resolved