Hello! I have found a vulnerability in the EQDKP Plus. More precisely in the plugin mediacenter. Because of incorrectly checks the file extension it is possible to upload the "htm" file and execute XSS attack. But with some restrictions. The plugin checks the contents for tags: [code=plugins/mediacenter/include/mediacenter.class.php:421] function check_content($fieldname){ $disallowed = "body|head|html|img|plaintext|a href|pre|script|table|title|php"; $disallowed_content = explode('|', $disallowed); if (empty($disallowed_content)) { return false; } [/code] To get around this, you can use the Next design: [code] [/code] After downloading the file to the server, you can find the file on request: http://site.com/dkp/plugins/mediacenter/index.php?mode=ajax&id = [ID]. [ID] - simple exhaustive search. Example: http://www.eqdkp-plus.com/demo06/data/d2c0752ce264405a0555a3825c2494f2/mediacenter/thumbs_b/ee5bb2c59c237307d61bcb0bae1e08f2.htm Vulnerable versions: <=0.6.4.5 P.S. Sorry for my bad english. :) Best Regards, iPower.