WordPress Security Alert: New Zero-Day Vulnerability Discovered in TimThumb Script

photo credit: kama17 - cc
photo credit: kama17cc

Security vulnerabilities have plagued the TimThumb script for years. It is most commonly used in cropping, zooming and resizing images in WordPress themes. After the large scale attacks launched against the script a few years ago, one might think that theme and plugin developers would be less likely to continue building with it. However, this is not the case and many websites are again in danger, according to the exploit disclosure issued today.

TimThumb 2.8.13 has a vulnerability with its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website. At this time there is no patch. Security experts at Sucuri break down the threat as follows: “With a simple command, an attacker can create, remove and modify any files on your server.”

Although the Webshot feature should be disabled by default, Sucuri recommends that you check your timthumb file to make sure it’s disabled. Search for “WEBSHOT_ENABLED” and verify that it’s set to “false,” as shown below:

[php light=”true”]define (‘WEBSHOT_ENABLED’, false);[/php]

This vulnerability affects many WordPress themes, plugins, and third party components. According to the disclosure, all themes from Themify utilize this script, as well as several plugins, including WordPress Gallery Plugin and the IGIT Posts Slider Widget.

It’s important to recognize that your theme or plugin may also use this script, even if it’s not listed in the disclosure. If you’ve ever lost an entire weekend fixing client sites that fell victim to TimThumb exploits, then you know that disabling the WebShot option is probably a good idea. This is a simple thing that you can do now to prevent your sites from getting hacked.


20 responses to “WordPress Security Alert: New Zero-Day Vulnerability Discovered in TimThumb Script”

  1. Note that, if you’re using a Theme downloaded from the official WordPress Theme Directory, you have nothing to worry about, since directory-hosted Themes cannot bundle TimThumb.

    There’s really no good reason to bundle TimThumb in a WordPress Theme anymore. 99% of what it does is redundant with core functionality. I wish commercial Theme developers would figure that out, and stop bundling it.

  2. Indeed, just checked with v2.8.13, a version that is at least 5 months old, and it has the recommended setting set to ‘false’.

    I’m not sure why this is news? Its set to false by default in the latest version of TimThumb.
    I do agree with Chip Bennett though, solid statement.

  3. Command line to check your public web root:

    find . -name "*thumb.php" -exec grep -H -n 'WEBSHOT_ENABLED' {} \;

    This will return lines from (tim)thumb.php. Line number for parameter in question are generally ~108-113, depending on version of (tim)thumb.php

  4. There are still plugins in the WordPress repository that bundle timthumb still. I was looking for a new related posts plugin earlier this year, and after downloading one to test it out, I was shocked to read through it and find that it was using timthumb (Contextual Related Posts, if anyone needs to know).

    I immediately disabled it, deleted it from test site, and deleted it from my computer. No one needs to use timthumb anymore, and after having had to clean up after an exploit several years ago, I won’t subject myself to it anymore, no matter how many assurances are constantly given about it being “fixed”.

  5. Why are WooThemes using TimThumb when even the developer of TimThumb doesnt use it, hadn’t used it since before the 2011 exploit and there are better ways to do this?

    This is what the TimThumb developer had to say:
    “Don’t use TimThumb”
    “I no longer maintain it”
    “there’s just better ways now”
    “WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011”.

    A few years ago, I became a full member of WooThemes, but I obtained a refund when I was told by
    their staff that when they test their themes they do not have errors displayed and they do not check their error logs. I am sure they have improved since then.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.