3aIT Blog

A "Zero-day" security vulnerability has been found in a Wordpress image resizing library called TimThumb. A "library" is a section of code that other bits of code can call on to perform a common task. Therefore, this means that lots of disparate plugins rely on this one "library" to perform image resizing. That in turn means that while it is only this one library that has the issue, many Wordpress plugins are now at risk because they all use this library.

The vulnerability allows an attacker to remotely execute specially crafted code on the affected website. Once complete, the website can be easily compromised in the way the attacker wants.

Popular plugins that are now vulnerable because of this issue include TimThumb, WordThumb, Wordpress Gallery Plugin and IGIT Posts Slider. This is by no means a comprehensive list.

If you do a have plugin that is affected by this, the risk can be mitigated by turning off the "Webshot" option within the TimThumb configuration file, as it is this section of the library that contains the bug in the code.

Issues such as this highlight the importance of ensuring that your website CMS is always kept up to date. We offer a couple of CMS maintenance contracts for those that lack the knowledge or the time to keep on top of threats like this themselves.

For the technically minded among you, there are some specifics on how this exploit works here: