Hi, we found an XSS vulnerability via the theme parameter to admin/theme.php Details: $fh = fopen($theme_root . $_POST['theme'] . '/' . $filename, 'w') or die("can't open file " . $theme_root . $_POST['theme'] . '/' . $filename); The $_POST variable is used as argument in die() function. When fopen fails, the attackers can perform XSS attack (see attachment).