back to article Zero day bug threatens many WordPress sites

Attackers are exploiting a widely used extension for the WordPress publishing platform to take control of vulnerable websites, one of the victims has warned. The vulnerability affects virtually all websites that have an image-resizing utility called TimThumb running with WordPress, Mark Maunder, CEO of Seattle-based Feedjit, …


This topic is closed for new posts.
  1. Frontend Wizard

    One question

    Is this timthumb thing part of every wordpress install, or is it a plugin (the word extension is used in the article) that you have to install yourself. The idea that masses of WP sites are exposed implies to me that it's part of wordpress by default?

    1. VinceH

      Letters, digits.

      I think whether you're using TimThumb depends on the theme you're using - so look at the documentation/website of the theme developer.

      1. Owen Carter

        Frantically scrabbling for answers..

        Just had a panic since I use WP a lot; but it appears this is not a plugin.

        It's a tool that some theme developers use for convenience, it's just a PHP script that lives in the same folder as the images you want to thumbnail. You don't install it separately since it is part of the theme itself.

        Oh.. and I see a lot of people saying that if you have problems with it not generating thumbnails you should open the permissions in that folder to 777. Humm.

        Have a look here; a forum posting where someone asks if doing that is a good idea:

  2. wiredfutureman

    Not every Wordpress

    Only those that use the plug-in. Secondly users need to have not altered the $allowedSites setting... Anyway, wish your "article" made it a bit clearer as it nearly gave me a heart attack when I was just thinking I was done for the day!

    More can be read in the official bug report on their Google Code page:

  3. Anonymous Coward
    Anonymous Coward


    I host a few WP sites for a few users, and have warned them against installing every plugin they can find. Not only can they be a potential vector if an exploit comes to light, they also slow down site response time.

    Fortunately runnig this in the docroots:

    find ./ -type f | grep -i timthumb

    revealed no instances.

    1. Anonymous Coward

      Pedantic I know but...


      find . -type f -iname \*timthumb\*

      Would allow you to avoid the unnecessary pipe?

      1. senti mental

        more thorough purge

        Personally, I'd consider the following a little more thorough..

        (find . -type f -exec grep -i --with-filename timthumb {} + && find . -iname \*timthumb\*)

        A more reliable approach could be:

        rm -Rf **/*.php

        In my experience, I've found it to clear up about 99.999% of known exploits.

      2. Tom 38 Silver badge

        Not pedantry

        Just wrong.

        The first command line searches all files for the string 'timthumb', your command line finds files that have the 'timthumb' in the filename, ignoring case.

        1. Ben 42


          Both do the same thing. To search all files for timthumb, you would do something like "grep -ri timthumb *".

          Though to be honest I probably would have just done "find . | grep -i timthumb". After all, there's no need to limit it to files (you want to find all references to timthumb, right?), and that version only requires me to remember one command option (-i). Maybe I have to turn in my geek card for admitting that I don't remember every option to every command off the top of my head and that I use unnecessary pipes, but I think I can live with that. ;-)

  4. Tim Brown 1

    It's a shame but

    although the core Wordpress code is of a generally high standard, the same cannot be said of a lot of plugins. I've lost count of the number of plugins that have interesting functionality, but when I've checked the code (which I always do before running on a live site), many exhibit basic coding errors.

  5. daviduk


    These find scripts dont take into account it being named however

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021