Security vulnerabilities have plagued the TimThumb script for years. It is most commonly used in cropping, zooming and resizing images in WordPress themes. After the large scale attacks launched against the script a few years ago, one might think that theme and plugin developers would be less likely to continue building with it. However, this is not the case and many websites are again in danger, according to the exploit disclosure issued today.
TimThumb 2.8.13 has a vulnerability with its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website. At this time there is no patch. Security experts at Sucuri break down the threat as follows: “With a simple command, an attacker can create, remove and modify any files on your server.”
Although the Webshot feature should be disabled by default, Sucuri recommends that you check your timthumb file to make sure it’s disabled. Search for “WEBSHOT_ENABLED” and verify that it’s set to “false,” as shown below:
define (‘WEBSHOT_ENABLED’, false);
This vulnerability affects many WordPress themes, plugins, and third party components. According to the disclosure, all themes from Themify utilize this script, as well as several plugins, including WordPress Gallery Plugin and the IGIT Posts Slider Widget.
It’s important to recognize that your theme or plugin may also use this script, even if it’s not listed in the disclosure. If you’ve ever lost an entire weekend fixing client sites that fell victim to TimThumb exploits, then you know that disabling the WebShot option is probably a good idea. This is a simple thing that you can do now to prevent your sites from getting hacked.