I received an email from a buyer today linking me to a post made by a blog owner about a serious vulnerability in timthumb that led to his site being hacked. I don’t use timthumb in my themes but I know a lot of people do so I thought I would post it here to make sure authors are aware of the problem and can apply fixes to their themes.
Thanks for posting this Eugene. I’m actually working on a site that’ll use the script and this is good to know. Appreciated
This will start a frenzy among customers… already started with our themes.
- Exclusive Author
- Repeatedly Helped protect Envato Marketplaces against copyright violations
- Sold between 250 000 and 1 000 000 dollars
- Author was Featured
- Author has had an Item Featured
- Attended a Community Meetup
- Referred between 100 and 199 users
- Contributed a Tutorial to a Tuts+ Site
I’ve already updated
As a “buyer” I went through the panic of checking all our sites and checking/replacing the latest version of timthumb.php (renamed to thumb.php by some). So for the help of other buyers out there I can confirm that at least the following do use instances of timthumb….
PLUGINS (timthumb.php)—> Sugar slider
WP THEMES (timthumb.php)—> CONCISE , CORPORATE, PUREVISION , LEVITATION, CLOCKSTONE , RTTHEME6, LOTUS , SINTAGMA, DANDELION , BIG FEATURE , INNOVA, AMPLIFY
WP THEMES (thumb.php)—> INFOCUS