WordPress theme and plugin vulnerability: timthumb.php

Post 78 of 262

Have you noticed strange things happening with your WordPress websites lately? Are spam links appearing in the theme HTML output without being visible when you view the page? Or are you using plugins or themes that have not been updated lately? Then there are a few articles you need to read.

There are a lot of themes and plugins that include a thumbnail generator script called timthumb.php, in which a serious security vulnerability has been discovered. It makes it possible to take control of your site by allowing files to be uploaded to your site by anyone familiar with the exploit. This can be abused to insert spam links on your site, and such links can go unnoticed since they can be hidden from plain view while still being visible for search engines indexing your site. This has happened to a lot of sites (the blog on the official website of the Swedish Green Party is one high-profile example here in Sweden). For a list of some of the themes that include the timthumb.php script, see blog.sucuri.net. It is in no way a complete list, and it does not include the many WordPress plugins that include the same script. But it shows the scope of the vulnerability.

Recommended action: Scan your site!

If you haven’t done so already, I recommend that you install the Timthumb.php Vulnerability Scanner from WordPress.org and run it on your site. I am a bit late on this topic, but it is worth repeating since there are obviously a lot of WordPress users who are still not familiar with this security issue.

If you find that you are affected by the vulnerability, you should immediately upgrade the timthumb.php file to the latest version to secure your site.

About the WordPress themes from andreasviklund.com

I have never used timthumb.php in any of the WordPress themes I have released, but I still ran a scan on the theme demo site where all my themes are installed – and the scan didn’t find any problems. But even if you are using one of my themes, you may have a plugin that may include the script, so I still recommend you to check your site.

, , ,

This article was written by Andreas Viklund

Web designer, writer and the creative engine behind this website. Author of most of the free website templates, along with some of the WordPress themes.

1 comment:

CoffeeManOctober 25, 2011 at 16:49Reply

Whoa… thanks for the heads-up. I wasn’t aware of this vulnerability, and I have a few wordpress sites that could be at risk. I appreciate the post, and will be running the scanner asap!

Menu