WordPress Security Alert: New Zero-Day Vulnerability Discovered in TimThumb Script

photo credit: kama17 - cc
photo credit: kama17cc

Security vulnerabilities have plagued the TimThumb script for years. It is most commonly used in cropping, zooming and resizing images in WordPress themes. After the large scale attacks launched against the script a few years ago, one might think that theme and plugin developers would be less likely to continue building with it. However, this is not the case and many websites are again in danger, according to the exploit disclosure issued today.

TimThumb 2.8.13 has a vulnerability with its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website. At this time there is no patch. Security experts at Sucuri break down the threat as follows: “With a simple command, an attacker can create, remove and modify any files on your server.”

Although the Webshot feature should be disabled by default, Sucuri recommends that you check your timthumb file to make sure it’s disabled. Search for “WEBSHOT_ENABLED” and verify that it’s set to “false,” as shown below:

define (‘WEBSHOT_ENABLED’, false);

This vulnerability affects many WordPress themes, plugins, and third party components. According to the disclosure, all themes from Themify utilize this script, as well as several plugins, including WordPress Gallery Plugin and the IGIT Posts Slider Widget.

It’s important to recognize that your theme or plugin may also use this script, even if it’s not listed in the disclosure. If you’ve ever lost an entire weekend fixing client sites that fell victim to TimThumb exploits, then you know that disabling the WebShot option is probably a good idea. This is a simple thing that you can do now to prevent your sites from getting hacked.

20 Comments


  1. Note that, if you’re using a Theme downloaded from the official WordPress Theme Directory, you have nothing to worry about, since directory-hosted Themes cannot bundle TimThumb.

    There’s really no good reason to bundle TimThumb in a WordPress Theme anymore. 99% of what it does is redundant with core functionality. I wish commercial Theme developers would figure that out, and stop bundling it.

    Report


    1. Is there a way to scan/check to see if my theme/plugin/whatever else bundles the timthumb script?

      I have over 50 sites (clients/my own) that I would prefer to not check manually and many of them have themes from WordPress Theme directory, others are not.

      Report


      1. Even though it’s outdated, that plugin should still at least tell you if and where you have the timthumb script. Then just check it manually from there.

        Report


      2. see my comment down below for command line to scan your web root

        Report


    2. I’m happy to say that theme authors haven’t been allowed to bundle TimThumb on ThemeForest since 2011. Totally agree with Chip that there is no reason to bundle it these days.

      Report


  2. I “believe” that Themify fixed their themes when this happened the first time. I checked the changelog and Photobox did at least. Elegant themes did too. If someone has a list of plugins that use timthumb, please post them.
    Thanks

    Report


  3. I really can’t say I’m shocked, this library seems to be full of problems.

    Report


  4. I think this version (2.8.13) has already this set up, right?

    if(! defined(‘WEBSHOT_ENABLED’) ) define (‘WEBSHOT_ENABLED’, false);

    Report


  5. Hello,

    We would like to inform that we’ve addressed the issue immediately and released the update. All Themify members are recommended to update their themes.

    Report


    1. Just out of curiosity, why wouldn’t you switch to using the Aqua-Resizer script?

      Report


  6. Indeed, just checked with v2.8.13, a version that is at least 5 months old, and it has the recommended setting set to ‘false’.

    I’m not sure why this is news? Its set to false by default in the latest version of TimThumb.
    I do agree with Chip Bennett though, solid statement.

    Report


  7. I think it’s also important to note the CutyCapt AND XVFB are required for this exploit to work. Even if you have webshot turned on and allow all external websites it won’t work.

    Report


    1. That would be very common on a local dev Mac, and possibly OSX server, etc.

      Report


  8. Command line to check your public web root:

    find . -name "*thumb.php" -exec grep -H -n 'WEBSHOT_ENABLED' {} \;

    This will return lines from (tim)thumb.php. Line number for parameter in question are generally ~108-113, depending on version of (tim)thumb.php

    Report


    1. We reccomend using the following as not all files contain the word “thumb”

      find / -name '*.php' -exec grep WEBSHOT_ENABLED {} \;

      Report


  9. There are still plugins in the WordPress repository that bundle timthumb still. I was looking for a new related posts plugin earlier this year, and after downloading one to test it out, I was shocked to read through it and find that it was using timthumb (Contextual Related Posts, if anyone needs to know).

    I immediately disabled it, deleted it from test site, and deleted it from my computer. No one needs to use timthumb anymore, and after having had to clean up after an exploit several years ago, I won’t subject myself to it anymore, no matter how many assurances are constantly given about it being “fixed”.

    Report


  10. Why are WooThemes using TimThumb when even the developer of TimThumb doesnt use it, hadn’t used it since before the 2011 exploit and there are better ways to do this?

    This is what the TimThumb developer had to say:
    “Don’t use TimThumb”
    “I no longer maintain it”
    “there’s just better ways now”
    “WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011”.

    A few years ago, I became a full member of WooThemes, but I obtained a refund when I was told by
    their staff that when they test their themes they do not have errors displayed and they do not check their error logs. I am sure they have improved since then.

    Report


    1. You would think they (WooThemes) have improved, but as far as I know their Canvas theme is still using timthumb…

      Report

Comments are closed.