5 Comments


  1. I only got into WordPress this fall and was absolutely lucky when I signed up for Elegant Themes just a few days after this vulnerability had been corrected!

    Instead of shaking me, however, this incident has only made me feel all the better about having chosen WordPress for my sites. Thus, I’m not too concerned about any other security holes in the many plugins and themes available. May the WordPress community continue to mature in security, usability, and functionality!


  2. Yes, I noticed that the BlueHost hosting service was automatically correcting and fixing all accounts that used the TimThumb script.


  3. I actually started using TimThumb after the exploit hit – using the upgraded version.

    The reason was because I store my images used in posts on Photobucket and none of the core of WordPress will handle an external image unless it is uploaded to the media library. I don’t want that now.


  4. Hmm, given how massively popular TimThumb is I think one can safely assume that if it can happen to a plugin as widely used as that one it can happen to others as well.

  5. Jan

    The thing that wordpress COULD do, is give some kind of advance notice about what is in the plugin you are installing. Far too many themes contain obfuscated code with horrid little advertising links, and people install these, blissfully unaware of their payload. Similarly, if the theme is installing extra php code, like timthumb.php, then it is surely worthwhile to tell the world.

Comments are closed.