Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.
The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.
We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly.
If you must use TimThumb please make sure to update the file with the latest version and remember to check the TimThumb site regularly for updates. You should also set ALLOW_EXTERNAL to false and find the $allowedSites array inside the file and remove the domain names to prevent remote file downloading.
Make sure this constant is set to false:
define( 'ALLOW_EXTERNAL', false );
Before:
$allowedSites = array ( 'flickr.com', 'picasa.com', 'img.youtube.com', 'upload.wikimedia.org', );
After:
$allowedSites = array();
Theme and plugin authors should use the built-in WordPress functions such as add_image_size to resize images.
We are sending out emails to all VaultPress customers who have TimThumb installed on their site. Customers can contact the VaultPress Safekeepers directly for help from the VaultPress dashboard.
VaultPress Blog 
Pingback: Security Notice: Timthumb | Page.ly Blog
Useful information. My site relies on TimThumb, so I will definitely make the suggested modifcations.
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
That’s where a plugin like “Regenerate Thumbnails” comes in really handy. I honestly can’t really see any efficient way for WordPress to try to dynamically regenerate the thumbnails every time a plugin or theme registers a new image size, unfortunately. The add_image_size() function is called every time a page is loaded (WordPress doesn’t catalog the registered image sizes anywhere), so WP would basically need to have some way to scan all uploads directories for all images and attempt to resize any that don’t have all of the appropriate image sizes every single time a page (in the Admin area or on the website itself) is loaded. That would cause dramatic slowdowns and would really tax server resources.
Regenerate Thumbnails simply requires you to click a button to regenerate all images. It’d be kind of nice if WordPress would include at least that functionality in the core, though.
Wow. Have been looking for a solution like this for ages. Timthumb is really resource intensive and this plugin seems to do everything I need. Thank you!
I’ve just spent some time modifying a site to remove TimThumb, including writing a very dirty plugin to assign Featured Images to some 1,000 odd historical posts. I might be able to help you if you’re interested…
Thank you for the email notification of the vulnerability.
Thank you for the email notification of the vulnerability. Keep up the great work guys!
Pingback: TimThumb Vulnerability « Meganet Central Industrial
Thank you for the notification. Update made and now I will sleep better at night 😉 Thanks VaultPress!
Pingback: Timthumb Vulnerability + Security Update- Elegant Themes Blog
Thanks for the notice… instead of deleting, could I rename the file to something else in the event it fixes itself and I can revert back to the original name?
It’s best to remove the file from your server or update the code within the file so you don’t chance the file being executed somehow. The file definitely needs to be updated if you plan on keeping it on your server.
Pingback: Vulnerability Found in the TimThumb script | CodeGround
Thanks a lot for the timely notification via email. I have replaced the file and have made the necessary changes.
Pingback: Timthumb.php security flaw makes hacking your WordPress site simple ~ ferguskelly.net
You Rock for letting us know this…but you probably already know that.
Pingback: Security issue with timthumb.php | WP Engine System Status
Pingback: Security Update for Modularity, Photo Workshop, Widescreen WordPress Themes | Graph Paper Press
Pingback: TimThumb security vulnerability discovered, affects many WordPress themes | WPCandy
Pingback: How to Fix TimThumb.php WordPress Theme Security Flaw | Wordpress Multisite Blogs Help Tips | Behind the Scenes
Pingback: TimThumb Security Vulnerability « Weblog Tools Collection
Pingback: פירצת אבטחה בהרבה מהתבניות בוורדפרס « מסעותיו של מרק בשבילי החיים
Pingback: 712 Fewer Vulnerable TimThumb Scripts in Existence | VaultPress Blog
Pingback: TimThumb shoots, VaultPress saves! | sennza
Pingback: Timthumb Vulnerability | Wordpress Style
Pingback: Tim Thumb vulnerability » K4 Media Web Design, Phnom Penh, Cambodia
Just had a look at my blog theme and found out that its vulnerable too. Thanks for this post listing. I’m trying out the modifications you advised. My blog was hacked last month and recovering it from backup was a pain. Thanks once again!
Pingback: TimThumb security vulnerability discovered: Affects many WordPress themes | TechBlog Central
Pingback: The TimThumb Saga — Matt Mullenweg
TimThumb has always bothered me so I use Jarrod Oberto’s excellent image resizer code in this tutorial http://net.tutsplus.com/tutorials/php/image-resizing-made-easy-with-php/
Pingback: How to fix Timthumb security issue?
Pingback: Vulnerability Wordpress Thumb.php | Beta.my
Pingback: Falha de segurança no Timthumb - BDI BBS
On behalf of my clients, thank you for this info on TimThumb. You just prevented some sleepless nights for me! You rock.
Pingback: TimThumb, Heroism and FUD
Pingback: How To Use timthumb.php with Multisites | WP Code Snippets
I have just started a new WordPress blog using timthumb v2.8.2, allowing external sites to true but only with my sub domain because I upload my images to my sub domain. Is it secure for me or should I go with WP add_image_size considering long term security and compatibility. Thanks in advance If anyone answers the question.
Hi, The latest version of TimThumb does not have this vulnerability so you should be safe using the sub domain restriction.
Pingback: 6 Essential Practices To Keep WordPress Secure | Wordpress Jedi
I replaced the file and had no problems what so ever. Thanks for the update
Just had a look at my blog theme and found out that its vulnerable too. Thanks for this post listing. I’m trying out the modifications you advised.
Pingback: Dynamically Resize WordPress Images On-the-Fly | SeedProd
Pingback: Is jouw WordPress installatie in gevaar door timthumb? | WPspecialist