A serious vulnerability was recently discovered in the popular TimThumb script. TimThumb is a tool that is used to manipulate images, and is used by many themes and plugins. This vulnerability may allow users to execute certain malicious commands on affected servers.
If you subscribe to VaultPress Premium, we’ve already scanned your site for this vulnerability, and have sent email notifications to affected users. We’ve also launched a fixer that will allow you to patch vulnerable code with a single click. You can run this fixer from the Security page in your VaultPress dashboard.
All other VaultPress users should refer to their theme and plugin documentation, or contact their developer, to determine whether they are using TimThumb. You can also search your server for timthumb.php. If you’re running TimThumb, you should ensure that the vulnerable WebShot feature is disabled in timthumb.php.
You can manually disable the vulnerable WebShot feature in a few steps:
- Locate the TimThumb script inside your themes and plugins. Generally the file will be named timthumb.php.
- Open timthumb.php in your favorite text editor.
- Search the file for WEBSHOT_ENABLED and ensure it is set to false.
As always, drop us a line if you have any questions!