Security, WordPress and other CMS

Vulnerability in TimThumb

Leave a comment

TimThumb is a toolkit for cropping and resizing images that’s used in numerous WordPress themes and plugins. A serious flaw in TimThumb was widely exploited several years ago to hijack thousands of WordPress sites.

A new vulnerability in TimThumb was recently revealed. This new flaw allows attackers to execute malicious code on vulnerable WordPress sites. Thankfully, the vulnerability only exists when TimbThumb’s ‘webshot’ feature is enabled, and that feature is disabled by default.

If you administer any WordPress sites, you should check for the use of TimThumb and make sure webshot is disabled. Search your site’s files for ‘timthumb.php’ and if you find it, make sure webshot is not enabled. In other words, if you see this:

WEBSHOT_ENABLED == true

… either comment out that line or change ‘true’ to ‘false’ and save the file. There may be multiple copies of timthumb.php on any given site.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

View all posts by jrivett | Website

Leave a Reply

Your email address will not be published. Required fields are marked *