1. Chip Bennett

    Note that, if you’re using a Theme downloaded from the official WordPress Theme Directory, you have nothing to worry about, since directory-hosted Themes cannot bundle TimThumb.

    There’s really no good reason to bundle TimThumb in a WordPress Theme anymore. 99% of what it does is redundant with core functionality. I wish commercial Theme developers would figure that out, and stop bundling it.


  2. Bryan Cady

    I “believe” that Themify fixed their themes when this happened the first time. I checked the changelog and Photobox did at least. Elegant themes did too. If someone has a list of plugins that use timthumb, please post them.


  3. wormeyman

    I really can’t say I’m shocked, this library seems to be full of problems.


  4. laerte

    I think this version (2.8.13) has already this set up, right?

    if(! defined(‘WEBSHOT_ENABLED’) ) define (‘WEBSHOT_ENABLED’, false);


  5. Themify


    We would like to inform that we’ve addressed the issue immediately and released the update. All Themify members are recommended to update their themes.


  6. Rams

    Indeed, just checked with v2.8.13, a version that is at least 5 months old, and it has the recommended setting set to ‘false’.

    I’m not sure why this is news? Its set to false by default in the latest version of TimThumb.
    I do agree with Chip Bennett though, solid statement.


  7. garthmortensen

    I think it’s also important to note the CutyCapt AND XVFB are required for this exploit to work. Even if you have webshot turned on and allow all external websites it won’t work.


  8. vacantserver

    Command line to check your public web root:

    find . -name "*thumb.php" -exec grep -H -n 'WEBSHOT_ENABLED' {} \;

    This will return lines from (tim)thumb.php. Line number for parameter in question are generally ~108-113, depending on version of (tim)thumb.php


    • watwebdev

      We reccomend using the following as not all files contain the word “thumb”

      find / -name '*.php' -exec grep WEBSHOT_ENABLED {} \;


  9. Summer

    There are still plugins in the WordPress repository that bundle timthumb still. I was looking for a new related posts plugin earlier this year, and after downloading one to test it out, I was shocked to read through it and find that it was using timthumb (Contextual Related Posts, if anyone needs to know).

    I immediately disabled it, deleted it from test site, and deleted it from my computer. No one needs to use timthumb anymore, and after having had to clean up after an exploit several years ago, I won’t subject myself to it anymore, no matter how many assurances are constantly given about it being “fixed”.


  10. watwebdev

    Why are WooThemes using TimThumb when even the developer of TimThumb doesnt use it, hadn’t used it since before the 2011 exploit and there are better ways to do this?

    This is what the TimThumb developer had to say:
    “Don’t use TimThumb”
    “I no longer maintain it”
    “there’s just better ways now”
    “WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011”.

    A few years ago, I became a full member of WooThemes, but I obtained a refund when I was told by
    their staff that when they test their themes they do not have errors displayed and they do not check their error logs. I am sure they have improved since then.


    • Piet

      You would think they (WooThemes) have improved, but as far as I know their Canvas theme is still using timthumb…


Comments are closed.

%d bloggers like this: