ok , here we go foreach ($avail_types as $type) { include($type . ".plugin.php"); here's the source so what's the problem ? your source is correct but the source that i found the vuln. in it , shows that there is a Remote File Inclusion Vulnerabilite in your script Regards T3rr0rist