Recent TimThumb Exploit and its Impact on You

Folks familiar with the WordPress universe are probably aware of a major vulnerability that was discovered in TimThumb recently. For others, TimThumb is an image resizing script that is very popular among WP theme developers who like to offer that extra bit of customization to users. When the WP team was made aware of the exploit they immediately suspended all themes in the WP repository that had TimThumb and sent a message to the authors to fix the themes.

In fact, Suffusion had TimThumb bundled with it for a long time, since version 3.2.2. However, owing to a crackdown by the WP Theme Review Team on themes not using WP’s native resizing capabilities, I took the decision to remove TimThumb from Suffusion’s core in version 3.7.5.

So why am I writing this? There are a couple of reasons:

  1. Some sites have been publishing false and half-researched information claiming that Suffusion has TimThumb. I did post back on their site pointing out that Suffusion hasn’t had a trace of TimThumb since six months, but I don’t see that things have changed. Just to assuage your concerns, here is how you can check for yourself:
    1. Go to Suffusion’s version control page on WP.
    2. Click on the link for the latest version, 3.8.2. You will not see anything that deals with TimThumb anywhere. Typically themes have a file called timthumb.php or thumb.php.
    3. In fact, check back to version 3.7.4, and you won’t see it anywhere.
  2. Now, the real reason for writing. A user posted a question on the support forum asking why thumbnails were not displaying. I checked, and found that the site in question was using TimThumb. Digging just a bit further revealed that the user was on a version of the theme that is almost one year old, while TimThumb has been removed from the theme quite a while back. So, if you have a version of Suffusion at 3.7.3 or older, please UPGRADE now!!! Even if you have backups of WP with old versions of the theme or backups of old versions of the theme itself, do the upgrade. I cannot stress enough how important this is! It might be a case of closing the stable door after the horse has bolted, but it is better to secure your server now rather than later. Note that if your installation is already infected, you have to do major cleanup on your site and it is best to hire an expert for it. Also note that even if you have other themes on your site that are not active, and those themes have TimThumb, your site stands the risk of being infected, because TimThumb can be invoked without loading WordPress.

The current released version (3.8.2) is quite stable. It has very few bugs, and they are fairly minor and pertain entirely to new functionality. So you shouldn’t face any issues due to the upgrade. As you are probably aware, I make every effort possible to ensure you have a low change impact, so things should be generally fine if you are upgrading from a pre-3.7.5 version to the current one. However I have had some users lose some flexibility with respect to resizing. For example, TimThumb could resize upwards as well as downwards. The native resizer only resizes downwards.

2 Responses to “Recent TimThumb Exploit and its Impact on You”

  1. I unfortunately had a site hacked, I hadn’t upgraded because of modifications made to the theme. I made a quick fix for now, replacing timthumb.php with the latest version.

    Upgrading is not that easy if you have made modifications to magazine.php or other files. I’ll have to think out a workflow that involves diffing the files to keep the modifications, but this is not my fulltime job…

    • Upgrading is not that easy if you have made modifications to magazine.php or other files.

      I beg to differ. If you have made your changes via child themes then upgrading is a very simple process. For things like the magazine template you can simply copy the file to your child theme and then make the edits there.