TimThumb WordPress vulnerability and Thesis theme?
How I was surprised after logged in to Thesis theme forum, about the discovery of a php script vulnerability. (related: Thesis as best seo theme)
This vulnerability issue fortunately should not affect Thesis theme users unless the user has hacked or change Thesis codes. (related: add related posts in Thesis theme without plugin)
Because Thesis by default does not allow “images” which are hosted in remotes websites.
If you are Thesis theme user, you can check this TimThumb WordPress and thesis thread here in the forum. (you will need to have username to login)
Although it states that we (Thesis users) should not be worried about it, but we should check on updates..we will never know. (related: should we upgrade Thesis theme)
And what about other wordpress bloggers who don’t useThesis theme? you can be affected, read further..
Wait, what is TimThumb? what is TimThumb wordpress vulnerability issue?
TimThumb itself is actually coming from a php script, called timthumb.php.
This timthumb.php script is a script that is used to modify websites images, or also imported images which are hosted external, for example, any images that are hosted in flickr, and you use that images from flickr in your website remotely via this script.
WordPress images uploader has already this functionality without using timthumb.php script, but there are tons of themes, or even plugins that use this script. (related: add wordpress featured image)
Now, you will probably ask yourself, do I have plugins that use this php based script? The answer is you should check your plugins.
I have only about 12 plugins, which are listed in my best blog plugins (after disabled some of the list), and I did not find any timthumb.php.
Even Wp-robot plugin does not use it, which makes me quite happy, since most of my other blogs use this plugin.
This is one of so many reasons why we should use only very important plugins, because if we should check on them, it won’t be big problem.
Basically, other than plugins, your theme can be affected by this issue too.
How does timthumb wordpress themes vulnerability happens? Because many themes are using this script to enhance their functionalities.
What themes are affected by this issue?
I have to mention, themes which are affected by this are also themes that are listed in wordpress themes database.
So if you have downloaded from any other websites, you will have to be more extra careful on checking other issues.
Until now, famous free themes, like arrass theme, mystique, magazine basic, etc are using this script.
You can read the part of the list of the affetcted themes in this page.
Does this security only affect wordpress? big NO. It does not only affect wordpress, but it does affect any blogs or websites which are php based AND use this thimthumb.php script.
It does affect wordpress themes and plugins, because some of them use this script, BUT it does not affect wordpress core files. Example, you are now having a blog that has only default theme and default plugins, you will have nothing to worry about.
The problems will only come if you add or install any themes or plugins that are using this php script.
TimThumb WordPress vulnerability reference
1. The blog that has affected and hacked by this script.
3. Fix on those who use some of WooThemes themes.
4. Fix on those who use Elegant themes templates.
Are you using theme or plugin that has timthumb wordpress vulnerability issue? it is best to check now.
Joe Ban says
I really enjoy your articles. I had a question that I wondered if you could help. I wrote a recent article for my wordpress site and had the spacing the way I wanted but when it was published the spacing was gone between paragraphs. I can’t seem to fix it since my edit area shows my spacing but viewers don’t see the spacing. Any ideas? Thanks.