Quick jump menu:

DSA Media News and Information

TimThumb Vulnerability

** Outdated Post **

In August 2011 a major vulnerability was found in the TimThumb image resizing script. This is a popular script that is used on many websites but is also very popular with many WordPress commercial themes and some plugins.

The script was updated and secured soon after the vulnerability was found however, we have recently been made aware of the second theme on our server still using the vulnerable code. Thankfully our security scanner picked up an attempt to upload a virus via the exploit and quarantined it, and the theme has now been upgraded by the site owner.

However, this highlights the fact that site owners need to be more active in keeping their plugins and themes up to date. Modern WordPress themes can contain just as many potential exploits as plugins can, and must be kept up to date at all times. Often the reason for not upgrading themes is due to modifications made to an off the shelf theme, however this should not be a reason to leave a potentially insecure theme running. If you need to make code modifications to a theme then you should be using a child theme instead, which leaves your main theme untouched and thereby allowing you to continue to keep it upgraded as soon as new versions are released.

So we are asking all hosting clients to check their sites, and if they have the TimThumb script running (note, this isn’t WordPress dependent) then please ensure it is updated to the latest version, and if you are running a WordPress site, please ensure all themes, whether in use or not, are always kept up to date with the latest release.

To help with keeping on top of updates we recommend that you install and use the WP Updates Notifier plugin which will email you as soon as there is an update available for either the core files, a plugin or theme from the WordPress repository. However, this will not notify you for themes or plugins not available on the WordPress website, therefore you will still need to make regular checks to ensure any updates are carried out as soon as possible.