August 3, 2011 The WordPress community has been going frantic this morning after it was discovered that there is a security vulnerability in the popular TimThumb script that is used for resizing images. The security hole gives intruders access to the server hosting the script. A number of people have already found themselves to be hacked, including the original developer of the script.
The issue was discussed last night in the IRC Development Chat with an early decision being made that all themes using the script should be suspended and that a patch should be pushed out (update: this hasn’t been agreed by the theme review team yet). In fact, the trunk version of the script has already been updated to fix the problem. This raises all sorts of questions about what sort of scripts will be allowed in the theme directory in the future.
How Does This Affect Me?
If you are using timthumb in your theme or plugin then update it. Grab the latest version from the trunk and paste in the code to replace the insecure version. It is as simple as that.
Timthumb is a very, very popular script and so it is worth checking to see if you are using it in your theme. If you are resizing a lot of images as thumbnails then it’s quite possible that it is being used. Of course, these days WordPress can do this itself but TimThumb does increase flexibility.
To find out if you are using TimThumb go to Appearance > Editor and look for a theme file called timthumb.php or thumb.php.
Copy the code from the updated trunk and paste it into the text editor. Save!
Known Theme Shops Using TimThumb
There are a number of major theme shops using TimThumb. Here are their responses:
- Woo Themes – update your theme or the code in thumb.php
- Templatic - thumb.php script does not use $allowedSites so not affected
- Elegant Themes – update to latest version
- Theme Shift – update theme or change code to latest version of timthumb
- Theme Lab – 3 themes using timthumb. Fix provided at link
Remember, if you are using a theme from a theme marketplace such as Mojo Themes or Theme Forest then it is the responsiblity of the individual developer to push out an update. Or you can just fix it yourself.
Know of any more? Let us know so WPMU.org readers are aware. Just to be clear though – it’s not a bad thing to be using TimThumb so please don’t take this out on theme developers or the developer of TimThumb. It’s a great script that many theme developers have been making money off it and improving their sites for years. In fact, older version of timthumb didn’t have this problem. Just spread the world so that everyone can update to the latest version and we can secure our sites.
(header image CC license from Don Hankins)
Thank you for the heads-up! Gotta love the WordPress community.
Thanks, WPMU, for the heads-up. Gotta love the #wordpress community!
How about PressWork? Is it safe?
Thanks for the heads up!
The Vulcan theme at ThemeForest uses TimThumb.php.
http://themeforest.net/item/vulcan-minimalist-business-wordpress-theme-4/111625
Pingback: 워드프레스 timthumb.php 사용 테마 주의! | HwangC
Pingback: Arquivo timthumb.php tem falha séria que afeta diversos temas para Wordpress « Purainfo
Okay, so I copied the new file contents from and replaced the entire timthumb script in my theme’s timthumb.php file – is this the correct procedure? Or does one just copy and replace a certain section? I am using Elegant Themes and don’t want to use their fix because it gets rid of timthumb entirely, and I like the script…
Thank you guys for the fix!
~ freida
WPZoom uses the script in their themes. They have an acknowledgment post, updated the script for their themes, and a link to the latest version of the script. http://www.wpzoom.com/forum/viewtopic.php?f=21&t=5080
Thank you for making our lives a lot easier!
Pingback: Arquivo timthumb.php tem falha séria que afeta diversos temas para WordPress » Purainfo
To add to your list of known theme shops, I’ve noticed that Themify.me also uses a version of TimThumb. They have issued new versions of their themes with the updated script, BUT they do not push a notification to users in their dashboard. You actually have to go to their website and re-download and re-install the theme manually.
Also Headway uses TimThumb but issued an update to fix it which you can install from your dashboard
We use timthumb on our Mu and Kappa theme, and have now updated them.
Our latest theme, Xi does not use timthumb. There is less of a need for it, as you can use WordPress to generate thumbnails of different sizes. The only downside of using native thumbs is that you have to regenerate thumbs when you change themes.
Pingback: LivingOS WordPress Theme Loom » Updates to Kappa and Mu timthumb script
I would strongly suggest you update to the latest version rather than patch the particular hole. I have found a second 0day that occurs in all versions before timthumb 2, which was released August 6.
Hello! I have a lot of sites that use timthumb, do you know which version of timthumb is vulnerable ?
because I m making a big cleaning here so to know with which site I have to begin!
Thank you for your answer and have a nice day !
Pingback: How to protect your WordPress site as hackers exploit TimThumb security hole
Pingback: Save Your WordPress Site With the Timthumb Vulnerability Scanner and 1-Click Upgrade
Pingback: Save Your WordPress Site With the Timthumb Vulnerability Scanner …
We’ve had several automated attacks (to sites that don’t even use WP), and I was able to compile a list of addresses pretty quickly that appear to use TimThumb:
I manage quite a few WP sites, and while the security scan script is fine for smaller sites, it chokes and dies on large sites, and for managing this many sites, it’s a huge waste of time. So I wrote a bash script that’ll do it for you. Use at your own risk:
Pingback: A Fix for the TimThumb Vulnerability in WordPress blogs | THE BLOGGER'S BULLETIN
Pingback: For all of you using WordPress (and using TimThumb) check this out.
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
I have been using a theme that employs this and the developer sent me an updated file back when this was identified that he indicated would secure this. I just noticed that Google displays Buy Levlen Without Prescription for my site. Is this an indicatation that I have been attacked via this weakness? And can you point me to any resources to clean out this infection?
Thanks
Chris
That’s likely, but it’s also possible that your site was hacked by another security hole, such as lax permissions on critical files. Check your .htaccess file first, as this sounds like a referer hack in .htaccess.
Might also be the WordPress Pharma hack http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
Pingback: 워드프레스 timthumb.php 사용 테마 주의! | HwangC 워드프레스
Pingback: Wordpress News - The Best WordPress Tips and Tutorials of 2011Wordpress News
Pingback: Keeping Your Wordpress Site Secure - Clarity Themes
Pingback: Bangladesh Web Lab | Bangladeshi Web Designer and Developer Blogs – Best WordPress Tips and Tutorials of 2011
Pingback: WordPress Arena: A Blog for WordPress Developers, Designers and Blogger