• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Timthumb Security Vulnerability – List of Themes

August 3, 2011David Dede

FacebookTwitterSubscribe

The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.

Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.

If you use any of the following themes please check to see if the script is present, and make sure it is updated:

8q/scripts/timthumb.php
aerial/lib/timthumb.php
aesthete/timthumb.php
albizia/includes/timthumb.php
amphion-lite/script/timthumb.php
aqua-blue/includes/timthumb.php
aranovo/scripts/timthumb.php
arras/library/timthumb.php
arras-theme/library/timthumb.php
arthemix-bronze/scripts/timthumb.php
arthemix-green/scripts/timthumb.php
artisan/includes/timthumb.php
a-simple-business-theme/scripts/timthumb.php
a-supercms/timthumb.php
aureola/scripts/timthumb.php
aurorae/timthumb.php
autofashion/thumb.php
automotive-blog-theme/Quick Cash Auto/timthumb.php
automotive-blog-theme/timthumb.php
bikes/thumb.php
black_eve/timthumb.php
blex/scripts/timthumb.php
bloggnorge-a1/scripts/timthumb.php
blogified/timthumb.php
blue-corporate-hyve-theme/timthumb.php
bluemag/library/timthumb.php
blue-news/scripts/timthumb.php
bombax/includes/timthumb.php
breakingnewz/timthumb.php
brightsky/scripts/timthumb.php
brochure-melbourne/includes/timthumb.php
business-turnkey/assets/js/timthumb.php
calotropis/includes/timthumb.php
coffee-lite/thumb.php
comet/scripts/timthumb.php
conceditor-wp-strict/scripts/timthumb.php
constructor/layouts/thumb.php
constructor/libs/timthumb.php
constructor/timthumb.php
coverht-wp/scripts/timthumb.php
cover-wp/scripts/timthumb.php
dark-dream-media/timthumb.php
deep-blue/timthumb.php
delicate/thumb.php
diamond-ray/thumb.php
dieselclothings/thumb.php
digitalblue/thumb.php
dimenzion/timthumb.php
epione/script/timthumb.php
evr-green/scripts/timthumb.php
famous/megaframe/megapanel/inc/upload.php
famous/timthumb.php
fashion-style/thumb.php
featuring/timthumb.php
fliphoto/timthumb.php
flix/timthumb.php
fordreporter/scripts/thumb.php
freeside/thumb.php
fresh-blu/scripts/timthumb.php
go-green/modules/timthumb.php
granite-lite/scripts/timthumb.php
greydove/timthumb.php
greyzed/functions/efrog/lib/timthumb.php
gunungkidul/thumb.php
heartspotting-beta/thumb.php
heli-1-wordpress-theme/images/timthumb.php
ideatheme/timthumb.php
impressio/timthumb/timthumb.php
introvert/thumb.php
inuit-types/thumb.php
isotherm-news/thumb.php
iwana-v10/timthumb.php
jambo/thumb.php
jcblackone/thumb.php
kratalistic/thumb.php
life-style-free/thumb.php
likehacker/timthumb.php
litepress/scripts/timthumb.php
loganpress-premium-theme-1/thumb.php
magazine-basic/thumb.php
magup/timthumb.php
make-money-online-theme-1/scripts/timthumb.php
make-money-online-theme-2/scripts/timthumb.php
make-money-online-theme-3/scripts/timthumb.php
make-money-online-theme-4/scripts/timthumb.php
make-money-online-theme/scripts/timthumb.php
meintest/layouts/thumb.php
mobilephonecomparision/thumb.php
moi-magazine/timthumb.php
my-heli/images/timthumb.php
mymag/timthumb.php
mystique/extensions/auto-thumb/timthumb.php
nash/theme-assets/php/timthumb.php
neofresh/timthumb.php
neo_wdl/includes/extensions/thumb.php
new-green-natural-living-ngnl/scripts/timthumb.php
newspress/thumb.php
pearlie/scripts/timthumb.php
pico/scripts/timthumb.php
postage-sydney/includes/timthumb.php
premium-violet/thumb.php
probluezine/timthumb.php
pronto/cjl/pronto/uploadify/check.php
pronto/cjl/pronto/uploadify/uploadify.php
r755/thumb.php
regal/timthumb.php
shaan/timthumb.php
shadow-block/thumb.php
shadow/timthumb.php
simple-but-great/timthumb.php
simplenews_premium/scripts/timthumb.php
simple-red-theme/timthumb.php
simple-tabloid/thumb.php
simplewhite/timthumb.php
slidette/timThumb/timthumb.php
snowblind_colbert/thumb.php
snowblind/thumb.php
spotlight/timthumb.php
squeezepage/timthumb.php
standout/thumb.php
suffusion/timthumb.php
swift/includes/thumb.php
swift/includes/timthumb.php
swift/timthumb.php
techozoic-fluid/options/thumb.php
the_dark_os/tools/timthumb.php
themetiger-fashion/thumb.php
theory/thumb.php
the-theme/core/libs/thumbnails/thumb.php
thrillingtheme/thumb.php
tm-theme/js/timthumb.php
totallyred/scripts/timthumb.php
travelogue-theme/scripts/timthumb.php
true-blue-theme/timthumb.php
ttnews-theme/timthumb.php
twittplus/scripts/timthumb.php
typographywp/timthumb.php
ugly/timthumb.php
unity/timthumb.php
versitility/timthumb.php
vibefolio-teaser-10/scripts/timthumb.php
vina/thumb.php
whitemag/script/thumb.php
wpapi/thumb.php
wpbus-d4/includes/timthumb.php
wp-creativix/scripts/timthumb.php
wp-newsmagazine/scripts/timthumb.php
wp-perfect/js/timthumb.php
wp-premium-orange/timthumb.php
xiando-one/thumb.php
zcool-like/timthumb.php
zcool-like/uploadify.php

Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.

Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.

Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.


If you have any questions, let us know.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Security, WordPress Security

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Otto

    August 3, 2011

    Not all of these themes you have listed are approved and in the theme system. The SVN can contain unlisted themes as well.

    • Andres Armeda

      August 3, 2011

      Very good point Otto. The post has been edited to reflect so.

      Thanks as usual!

      Best,
      Dre

  2. Simon

    August 4, 2011

    whitepress uses also timthumb!

  3. BarryW

    August 5, 2011

    Suffusion is listed, and as a user of that I feel obligated to mention that timthumb was removed as of version 3.7.5 – the current version is 3.8.2

    • Andres Armeda

      August 5, 2011

      Hi Barry, thanks for the comment. According to the version scraped from the repository the file still exists in the theme. This is a good time for all theme authors to verify that everything in the repository is up to date and is reflecting properly.

      Thanks again for your comment.

      Dre

      • BarryW

        August 5, 2011

        Hi Dre, Thanks for the quick reply. Based on your comment I scraped through the current release and the only mention of timthumb is in a comment in media.php.  There is no timthumb.php or thumb.php present in version 3.8.2 – I’m not sure wahat the repository holds, if it’s old versions or what.  But if it is an older version, then shame on the person that picks it up, the same as using an older version of WP or any other open source package.  I’ll will try to make mention of this to the author on his support forum.

        Cheers,
        Barry

      • Sayontan

        August 6, 2011

        As the author of Suffusion I feel obligated to point out that whatever
        methodology you used to determine your list of themes, it is plain
        wrong. TimThumb was removed from the theme about 6
        months back
        .

        You probably looked at http://themes.svn.wordpress.org/, then simply
        pulled up any themes that might have ever had
        TimThumb in it. If that is the case, you should amend your article above
        to change aggregated a list of themes that include
        TimThumb
        to something more appropriate. FYI, this is the list
        of all versions of the theme:
        http://themes.svn.wordpress.org/suffusion/. Take a look at the latest
        version (http://themes.svn.wordpress.org/suffusion/3.8.2/) or for that
        matter any version 3.7.4 onwards and let me know if you see the TimThumb script anywhere.

        Your scraper is probably doing things wrong if it reports the script being present in the latest versions. I can point out at least a few other themes that haven’t had TimThumb for a while now.

  4. Michael Speier

    August 6, 2011

    Hi! Thanks for the list with Themes, but there is an Error: The Theme Calotropis from itx don’t use timthumb.php or it has an other name!

    Greets from Germany and sorry for my bad english!

    Mike, TmoWizard

  5. Volker

    August 17, 2011

    I use ‘constructor’-theme on 1 site in version 1.57 and on another in 1.62, the latest.
    Unfortunally, I can’t find a script named timthumb.php in my FTP.
    And on the first look, the script thumb.php in constructor, mentioned in the list,
    doesn’t resemble to timthumb.php !

    ??
    cheers volker

    • Anton Shevchuk

      August 17, 2011

      Hi,
      I used timthumb in very old version of Constructor < 1.0.0
      Don't worry, your version is not has security vulnerability

    • Anton Shevchuk

      August 17, 2011

      File constructor/layouts/thumb.php it’s not a timthumb script

  6. Anton Shevchuk

    August 17, 2011

    As the author of Constructor I feel obligated to mention that timthumb was removed as of version 1.0.0 – 15 month ago. The current version is 1.6.2.

  7. Eddie

    August 18, 2011

    add PROSTO, from themeforest, to the list of vulnerable themes http://themeforest.net/item/prosto-business-portfolio-cms-wordpress-theme/

  8. jehzlau

    August 19, 2011

    Oh great. So this is why some of my sites that uses timthumb redirects to an unknown page. O_O. Will update all my themes now with timthumb. 😀

  9. crash >_

    August 20, 2011

    also…

    monochrome/timthumb.php

  10. Jacques

    August 24, 2011

    ElegantThemes is/was using TT as well: http://www.elegantthemes.com/blog/theme-changesbug-fixes/timthumb-vulnerability-security-update

  11. t4c

    August 29, 2011

    themes/androida-theme/androida/timthumb.php
    http://www.web2feel.com/androida-theme/

  12. Nat

    September 1, 2011

    Just a heads up but i found that WP-Mobile-Detector Plug in uses this.

    None of my themes had it but I’ve used this plugin on a number of my themes and have now deleted it.

  13. Nkni

    September 14, 2011

    Polished theme have the same vuln with 1.19

  14. Sam

    September 21, 2011

    leetpress also use the 1.14 version auf timtumb

  15. Kau-Boy

    October 18, 2011

    and another 4 themes:

    premiumnews/thumb.php
    typebased/thumb.php
    metamorphosis/thumb.php
    mainstream/thumb.php

  16. Parag

    October 21, 2011

    It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  17. Chandra bose

    October 28, 2011

    Awesome logic behind! Thanks for sharing this with me!

    WordPress templates

  18. Alan Lupatini

    November 3, 2011

    I’m clean. =)

  19. hackLover

    November 8, 2011

    Also ReporterBlog, how to fix it?

  20. otmn

    January 24, 2012

    http://codecanyon.net/item/slider-pro-wordpress-premium-slider-plugin defaults with timthumb but can be disabled. 

  21. Poljane

    June 6, 2012

    Had lost 2 hours on this. Here is my sollution:

    Server didn’t return the right DOCUMENT_ROOT, so in thumb.php I had to add

    $_SERVER[“DOCUMENT_ROOT”] = ‘/domains/www/public_html’;

    In my case I’ve looked for the DOCUMENT_ROOT with
    echo getcwd();

  22. Anyone

    August 7, 2012

    milkyway/functions/scripts/timthumb.php

  23. Alex Booth

    September 13, 2012

    OptimizePress can be added to list

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.