A zero day vulnerability has been recently found on TimThumb, a popular image resizing utility widely used in a lot of WordPress themes. This issue was first discovered and reported by Mark Maunder after his blog got hacked via the timthumb.php file/script.
The zero day vulnerability allows malicious users, hackers and other third parties to upload and run PHP code in the timthumb cache directory. When the uploaded PHP code is run and executed, the attacker can do whatever they want with the affected site or blog.
If You Use TimThumb
If your current WordPress theme is using timthumb.php, make sure that you update to the latest version of TimThumb and to reglularly check on the official TimThumb site for updates and announcements.
Aside from updating the TimThumb file there’s another thing you need to do. Open up the timthumb.php or thumb.php file with a text editor and look for this line ALLOW_EXTERNAL and make sure that the value is set to FALSE.
define ('ALLOW_EXTERNAL', FALSE);
Once ALLOW_EXTERNAL is set to FALSE, next thing to do is remove the domains inside the $allowedSites array to ensure that remote file downloading is disabled:
$allowedSites = array (
$allowedSites = array ();
If You Do Not Use TimThumb
If you don’t use or need timthumb.php but have other WordPress themes stored in your wp-content/themes folder that uses timthumb.php, it is recommended that the thumb.php file or even the entire theme or plugin folder be deleted/removed from your web server.
The theme I’m using here on JaypeeOnline – FreshNews by WooThemes uses TimThumb. After reading about this vulnerability, I immediately removed the thumb.php file and replaced it with an updated one. I was worried that I was using a very old version of TimThumb and that upgrading might mess up my blog but after the upgrade, I checked all the thumbnails and everything seems to be working fine. I also removed everything related to the old version of TimThumb and cleared the the cache.
If you want to know more about the TimThumb zero day vulnerability, how it was discovered and other additional info, check out Mark Maunder’s blog post.