Title: SECURITY FIX
Last modified: August 30, 2016

---

# SECURITY FIX

 *  [loganaden](https://wordpress.org/support/users/loganaden/)
 * (@loganaden)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/security-fix/)
 * Hi:
 * Prevent using files variable to point to non-css file such as PHP files. This
   was reported by Ali Khalil, who said that it was possible to make a request such
   as:
 * site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.
   php
 * Since the aim is process CSS files only, the files variable should only contain
   files that end with .css.
 * Patch available on github:
    [https://github.com/wp-plugins/wp-mobile-edition/pull/1](https://github.com/wp-plugins/wp-mobile-edition/pull/1)
 * [https://github.com/loganaden/wp-mobile-edition/commit/ccef413c24fe52dede0ee51cca534ea8001bb407](https://github.com/loganaden/wp-mobile-edition/commit/ccef413c24fe52dede0ee51cca534ea8001bb407)
 * [https://wordpress.org/plugins/wp-mobile-edition/](https://wordpress.org/plugins/wp-mobile-edition/)

Viewing 1 replies (of 1 total)

 *  Plugin Author [Fdoromo](https://wordpress.org/support/users/fdoromo/)
 * (@fdoromo)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/security-fix/#post-6214924)
 * css.php removed in Version 2.5.

Viewing 1 replies (of 1 total)

The topic ‘SECURITY FIX’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wp-mobile-edition_adbcc5.svg)
 * [WP Mobile Edition](https://wordpress.org/plugins/wp-mobile-edition/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-mobile-edition/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-mobile-edition/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-mobile-edition/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-mobile-edition/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-mobile-edition/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [Fdoromo](https://wordpress.org/support/users/fdoromo/)
 * Last activity: [10 years, 9 months ago](https://wordpress.org/support/topic/security-fix/#post-6214924)
 * Status: not resolved