TimThumb Security Vulnerability


A zero day vulnerability has been found in TimThumb, a popular image resizing script used by several WordPress themes. The person who discovered the vulnerability has issued a fix and instructions to detect any lingering hacks.

As described on the VaultPress blog, “The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.”

The folks at Sucuri have constructed a great list of just a few affected WordPress themes, just to give you idea of how many themes use TimThumb.

If your theme uses TimThumb, contact your theme author for an update immediately, or download the latest version if it has already been updated. If your theme author is not willing to offer an update, it’s probably time for a new theme, but you can also get the latest version of TimThumb from its Google Code page.




  1. Oliver says:

    Hi, thanks for the info.

    Just my 0.02$, I think you’d be making the community a service with an additional information : how can we MANUALLY check if our theme resorts to the TimThumb function, or not.

    • Network Geek (21 comments.) says:

      Did you check the links in the post? If you follow the link to the listed themes, you’ll notice a pattern that may help you determine whether or not the theme you use includes TimThumb. It’s not a *definitive* answer, to be sure, but it looks like most of the effected themes include a “timthumb.php” file. Also, since it makes a cache directory that’s being exploited, it seems like if the theme in question has made an image cache directory, you might want to dig a little deeper into the code to find out for sure.

      Also, the link to the person who found the vulnerability includes “a fix and instructions to detect any lingering hacks.”
      So, that seems like it would have the answer to your concern.

  2. Aarav (1 comments.) says:

    Thanks for this post. I just checked out the article at vaultpress and modified my blog accordingly. After having my blog hacked just last month I am getting real active in finding posted vulnerabilities and taking corrective action, something I was lazy about earlier and paid for it the hard way…

  3. Robert says:

    The plugin WP Mobile Detector also uses the timthumb script

  4. Parag (1 comments.) says:

    It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  5. Robert says:

    Had lost 2 hours on this. Here is my solution:

    Server didn’t return the right DOCUMENT_ROOT, so in thumb.php I had to add

    $_SERVER[“DOCUMENT_ROOT”] = ‘/domains/www/public_html';

    In my case I’ve looked for the DOCUMENT_ROOT with
    echo getcwd();

Obviously Powered by WordPress. © 2003-2013

page counter