TimThumb Security Vulnerability – Common in Many Premium WordPress Themes

by admin on October 20, 2011

Yesterday a security vulnerability was discovered in the popular TimThumb image resizing script that is used in many premium WordPress themes. Some of the premium theme providers that include the timthumb script in their themes (or have done so in the past) include WooThemes, Elegant Themes, Pro Theme Design, WPZOOM as well as many themes from the ThemeForest marketplace.

The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.

It is recommended you delete all instances of the timthumb.php or thumb.php script if your theme will work without it. This also includes any inactive themes on your site that have the script.

Alternatively you should update the file to the latest version, and also set ALLOW_EXTERNAL to false and find the $allowedSites array inside the file and remove the domain names to prevent remote file downloading.

Before:

$allowedSites = array (
 'flickr.com',
 'picasa.com',
 'img.youtube.com',
 'upload.wikimedia.org',
 );

Change to:

$allowedSites = array();

Also make sure this contstant is set to false

define( 'ALLOW_EXTERNAL', false );

If you’re using the TimThumb script in your theme it is recommended you update to the latest version of the theme or apply the fix explained above. If you are not sure if your premium theme uses the TimThumb script, check the contents of your theme directory, or contact the creator of your theme.

Previous post:

Next post: