Title: possible security risk using include function to render images! Last modified: August 30, 2016 --- # possible security risk using include function to render images! * Resolved [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [10 years, 7 months ago](https://wordpress.org/support/topic/possible-security-risk-using-include-function-to-render-images/) * > …/wp-content/plugins/sendpress/classes/public-views/class-sendpress-public- > view-open.php * In this file you have replaced this improper technique: `//include(SENDPRESS_PATH.' img/clear.gif');` with code that uses the file_get_contents function to output your image content safely, without the possible execution of PHP code. * However, in this other file: * > …/wp-content/plugins/sendpress/inc/pages/default-public.php * this code: `include(SENDPRESS_PATH. '/im/clear.gif');` Is still active and could be used by hackers to gain control over a users site. * It is unfortunately fairly common, as hacks go, to be able to upload image files using vulnerabilities in older versions of timthumb, revslider, gavityforms, and other such code that allows for uploading. These uploaded images can contain PHP code that would be uselessly ineffective a hacker unless it is called by an include function as you have done in this plugin. You should never render the contents of an image file with the include function which is intended to execute PHP code within the referenced file. Instead you should use passthru or another function, like the technique you used with the file_get_contents function, to render the content of those files without PHP interpretation/execution. * I hope you can act on this quickly and release a fix for this vulnerability in your next update. * Aloha, Eli * [https://wordpress.org/plugins/sendpress/](https://wordpress.org/plugins/sendpress/) Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Author [Josh Lyford](https://wordpress.org/support/users/joshl/) * (@joshl) * [10 years, 7 months ago](https://wordpress.org/support/topic/possible-security-risk-using-include-function-to-render-images/#post-6716795) * This will be fixed in the next release and we will have it out in the next hour or so * Thanks for the notice. * Best, Josh * Plugin Author [itdoug](https://wordpress.org/support/users/itdoug/) * (@itdoug) * [10 years, 7 months ago](https://wordpress.org/support/topic/possible-security-risk-using-include-function-to-render-images/#post-6716797) * Eli, * Drop us a line in our contact form. Happy to get you a free license of Pro for finding this. * [https://sendpress.com/contact-us/](https://sendpress.com/contact-us/) * Thread Starter [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [10 years, 7 months ago](https://wordpress.org/support/topic/possible-security-risk-using-include-function-to-render-images/#post-6716823) * Thanks guys, for the fast reply. * It’s nice to know you are responsive to forum posts and quick to fix bugs 😉 * Thread Starter [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [10 years, 7 months ago](https://wordpress.org/support/topic/possible-security-risk-using-include-function-to-render-images/#post-6716991) * Thanks for the update. I see that you removed that second file completely so that vulnerability has been nullified. * I notice you left the commented-out code in the first file though I know it is not a threat as long as it is rem’d out but I wonder why you didn’t go ahead and remove it from that file if it’s not being used any more. I see there were a lot of other changes in this release and I’m sure you had a lot to think about when releasing all those changes but maybe you can take out that other commented out include statement in your next release for peace of mind. * Aloha, Eli * Plugin Author [Josh Lyford](https://wordpress.org/support/users/joshl/) * (@joshl) * [10 years, 7 months ago](https://wordpress.org/support/topic/possible-security-risk-using-include-function-to-render-images/#post-6716992) * Hi Eli, * Forgot about the old code in the comments. We will take it out in the next release. * Best, Josh Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘possible security risk using include function to render images!’ is closed to new replies. * ![](https://ps.w.org/sendpress/assets/icon.svg?rev=979185) * [SendPress Newsletters](https://wordpress.org/plugins/sendpress/) * [Frequently Asked Questions](https://wordpress.org/plugins/sendpress/#faq) * [Support Threads](https://wordpress.org/support/plugin/sendpress/) * [Active Topics](https://wordpress.org/support/plugin/sendpress/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/sendpress/unresolved/) * [Reviews](https://wordpress.org/support/plugin/sendpress/reviews/) * 5 replies * 3 participants * Last reply from: [Josh Lyford](https://wordpress.org/support/users/joshl/) * Last activity: [10 years, 7 months ago](https://wordpress.org/support/topic/possible-security-risk-using-include-function-to-render-images/#post-6716992) * Status: resolved