The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.
Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.
If you use any of the following themes please check to see if the script is present, and make sure it is updated:
automotive-blog-theme/Quick Cash Auto/timthumb.php
Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.
Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.
Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.
If you have any questions, let us know.
Not all of these themes you have listed are approved and in the theme system. The SVN can contain unlisted themes as well.
Very good point Otto. The post has been edited to reflect so.
Thanks as usual!
whitepress uses also timthumb!
Suffusion is listed, and as a user of that I feel obligated to mention that timthumb was removed as of version 3.7.5 – the current version is 3.8.2
Hi Barry, thanks for the comment. According to the version scraped from the repository the file still exists in the theme. This is a good time for all theme authors to verify that everything in the repository is up to date and is reflecting properly.
Thanks again for your comment.
Hi Dre, Thanks for the quick reply. Based on your comment I scraped through the current release and the only mention of timthumb is in a comment in media.php. There is no timthumb.php or thumb.php present in version 3.8.2 – I’m not sure wahat the repository holds, if it’s old versions or what. But if it is an older version, then shame on the person that picks it up, the same as using an older version of WP or any other open source package. I’ll will try to make mention of this to the author on his support forum.
As the author of Suffusion I feel obligated to point out that whatever
methodology you used to determine your list of themes, it is plain
wrong. TimThumb was removed from the theme about 6
You probably looked at http://themes.svn.wordpress.org/, then simply
pulled up any themes that might have ever had
TimThumb in it. If that is the case, you should amend your article above
to change to something more appropriate. FYI, this is the list
of all versions of the theme:
http://themes.svn.wordpress.org/suffusion/. Take a look at the latest
version (http://themes.svn.wordpress.org/suffusion/3.8.2/) or for that
matter any version 3.7.4 onwards and let me know if you see the TimThumb script anywhere.
Your scraper is probably doing things wrong if it reports the script being present in the latest versions. I can point out at least a few other themes that haven’t had TimThumb for a while now.
Hi! Thanks for the list with Themes, but there is an Error: The Theme Calotropis from itx don’t use timthumb.php or it has an other name!
Greets from Germany and sorry for my bad english!
I use ‘constructor’-theme on 1 site in version 1.57 and on another in 1.62, the latest.
Unfortunally, I can’t find a script named timthumb.php in my FTP.
And on the first look, the script thumb.php in constructor, mentioned in the list,
doesn’t resemble to timthumb.php !
I used timthumb in very old version of Constructor < 1.0.0
Don't worry, your version is not has security vulnerability
File constructor/layouts/thumb.php it’s not a timthumb script
As the author of Constructor I feel obligated to mention that timthumb was removed as of version 1.0.0 – 15 month ago. The current version is 1.6.2.
add PROSTO, from themeforest, to the list of vulnerable themes http://themeforest.net/item/prosto-business-portfolio-cms-wordpress-theme/
Oh great. So this is why some of my sites that uses timthumb redirects to an unknown page. O_O. Will update all my themes now with timthumb. 😀
ElegantThemes is/was using TT as well: http://www.elegantthemes.com/blog/theme-changesbug-fixes/timthumb-vulnerability-security-update
Just a heads up but i found that WP-Mobile-Detector Plug in uses this.
None of my themes had it but I’ve used this plugin on a number of my themes and have now deleted it.
Polished theme have the same vuln with 1.19
leetpress also use the 1.14 version auf timtumb
and another 4 themes:
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
Awesome logic behind! Thanks for sharing this with me!
I’m clean. =)
Also ReporterBlog, how to fix it?
http://codecanyon.net/item/slider-pro-wordpress-premium-slider-plugin defaults with timthumb but can be disabled.
Had lost 2 hours on this. Here is my sollution:
Server didn’t return the right DOCUMENT_ROOT, so in thumb.php I had to add
$_SERVER[“DOCUMENT_ROOT”] = ‘/domains/www/public_html’;
In my case I’ve looked for the DOCUMENT_ROOT with
OptimizePress can be added to list
Comments are closed.