20 Comments


  1. Note that, if you’re using a Theme downloaded from the official WordPress Theme Directory, you have nothing to worry about, since directory-hosted Themes cannot bundle TimThumb.

    There’s really no good reason to bundle TimThumb in a WordPress Theme anymore. 99% of what it does is redundant with core functionality. I wish commercial Theme developers would figure that out, and stop bundling it.

    Reply

    1. Is there a way to scan/check to see if my theme/plugin/whatever else bundles the timthumb script?

      I have over 50 sites (clients/my own) that I would prefer to not check manually and many of them have themes from WordPress Theme directory, others are not.

      Reply
        1. Simon

          Even though it’s outdated, that plugin should still at least tell you if and where you have the timthumb script. Then just check it manually from there.

          Reply
      1. vacantserver

        see my comment down below for command line to scan your web root

        Reply

    2. I’m happy to say that theme authors haven’t been allowed to bundle TimThumb on ThemeForest since 2011. Totally agree with Chip that there is no reason to bundle it these days.

      Reply

  2. I “believe” that Themify fixed their themes when this happened the first time. I checked the changelog and Photobox did at least. Elegant themes did too. If someone has a list of plugins that use timthumb, please post them.
    Thanks

    Reply

  3. I really can’t say I’m shocked, this library seems to be full of problems.

    Reply

  4. I think this version (2.8.13) has already this set up, right?

    if(! defined(‘WEBSHOT_ENABLED’) ) define (‘WEBSHOT_ENABLED’, false);

    Reply

  5. Hello,

    We would like to inform that we’ve addressed the issue immediately and released the update. All Themify members are recommended to update their themes.

    Reply

    1. Just out of curiosity, why wouldn’t you switch to using the Aqua-Resizer script?

      Reply
  6. Rams

    Indeed, just checked with v2.8.13, a version that is at least 5 months old, and it has the recommended setting set to ‘false’.

    I’m not sure why this is news? Its set to false by default in the latest version of TimThumb.
    I do agree with Chip Bennett though, solid statement.

    Reply
  7. garthmortensen

    I think it’s also important to note the CutyCapt AND XVFB are required for this exploit to work. Even if you have webshot turned on and allow all external websites it won’t work.

    Reply
    1. vacantserver

      That would be very common on a local dev Mac, and possibly OSX server, etc.

      Reply
  8. vacantserver

    Command line to check your public web root:

    find . -name "*thumb.php" -exec grep -H -n 'WEBSHOT_ENABLED' {} \;

    This will return lines from (tim)thumb.php. Line number for parameter in question are generally ~108-113, depending on version of (tim)thumb.php

    Reply
    1. watwebdev

      We reccomend using the following as not all files contain the word “thumb”

      find / -name '*.php' -exec grep WEBSHOT_ENABLED {} \;

      Reply
  9. Summer

    There are still plugins in the WordPress repository that bundle timthumb still. I was looking for a new related posts plugin earlier this year, and after downloading one to test it out, I was shocked to read through it and find that it was using timthumb (Contextual Related Posts, if anyone needs to know).

    I immediately disabled it, deleted it from test site, and deleted it from my computer. No one needs to use timthumb anymore, and after having had to clean up after an exploit several years ago, I won’t subject myself to it anymore, no matter how many assurances are constantly given about it being “fixed”.

    Reply
  10. watwebdev

    Why are WooThemes using TimThumb when even the developer of TimThumb doesnt use it, hadn’t used it since before the 2011 exploit and there are better ways to do this?

    This is what the TimThumb developer had to say:
    “Don’t use TimThumb”
    “I no longer maintain it”
    “there’s just better ways now”
    “WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011″.

    A few years ago, I became a full member of WooThemes, but I obtained a refund when I was told by
    their staff that when they test their themes they do not have errors displayed and they do not check their error logs. I am sure they have improved since then.

    Reply

    1. You would think they (WooThemes) have improved, but as far as I know their Canvas theme is still using timthumb…

      Reply

Leave a Reply