The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.
Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.
If you use any of the following themes please check to see if the script is present, and make sure it is updated:
8q/scripts/timthumb.php
aerial/lib/timthumb.php
aesthete/timthumb.php
albizia/includes/timthumb.php
amphion-lite/script/timthumb.php
aqua-blue/includes/timthumb.php
aranovo/scripts/timthumb.php
arras/library/timthumb.php
arras-theme/library/timthumb.php
arthemix-bronze/scripts/timthumb.php
arthemix-green/scripts/timthumb.php
artisan/includes/timthumb.php
a-simple-business-theme/scripts/timthumb.php
a-supercms/timthumb.php
aureola/scripts/timthumb.php
aurorae/timthumb.php
autofashion/thumb.php
automotive-blog-theme/Quick Cash Auto/timthumb.php
automotive-blog-theme/timthumb.php
bikes/thumb.php
black_eve/timthumb.php
blex/scripts/timthumb.php
bloggnorge-a1/scripts/timthumb.php
blogified/timthumb.php
blue-corporate-hyve-theme/timthumb.php
bluemag/library/timthumb.php
blue-news/scripts/timthumb.php
bombax/includes/timthumb.php
breakingnewz/timthumb.php
brightsky/scripts/timthumb.php
brochure-melbourne/includes/timthumb.php
business-turnkey/assets/js/timthumb.php
calotropis/includes/timthumb.php
coffee-lite/thumb.php
comet/scripts/timthumb.php
conceditor-wp-strict/scripts/timthumb.php
constructor/layouts/thumb.php
constructor/libs/timthumb.php
constructor/timthumb.php
coverht-wp/scripts/timthumb.php
cover-wp/scripts/timthumb.php
dark-dream-media/timthumb.php
deep-blue/timthumb.php
delicate/thumb.php
diamond-ray/thumb.php
dieselclothings/thumb.php
digitalblue/thumb.php
dimenzion/timthumb.php
epione/script/timthumb.php
evr-green/scripts/timthumb.php
famous/megaframe/megapanel/inc/upload.php
famous/timthumb.php
fashion-style/thumb.php
featuring/timthumb.php
fliphoto/timthumb.php
flix/timthumb.php
fordreporter/scripts/thumb.php
freeside/thumb.php
fresh-blu/scripts/timthumb.php
go-green/modules/timthumb.php
granite-lite/scripts/timthumb.php
greydove/timthumb.php
greyzed/functions/efrog/lib/timthumb.php
gunungkidul/thumb.php
heartspotting-beta/thumb.php
heli-1-wordpress-theme/images/timthumb.php
ideatheme/timthumb.php
impressio/timthumb/timthumb.php
introvert/thumb.php
inuit-types/thumb.php
isotherm-news/thumb.php
iwana-v10/timthumb.php
jambo/thumb.php
jcblackone/thumb.php
kratalistic/thumb.php
life-style-free/thumb.php
likehacker/timthumb.php
litepress/scripts/timthumb.php
loganpress-premium-theme-1/thumb.php
magazine-basic/thumb.php
magup/timthumb.php
make-money-online-theme-1/scripts/timthumb.php
make-money-online-theme-2/scripts/timthumb.php
make-money-online-theme-3/scripts/timthumb.php
make-money-online-theme-4/scripts/timthumb.php
make-money-online-theme/scripts/timthumb.php
meintest/layouts/thumb.php
mobilephonecomparision/thumb.php
moi-magazine/timthumb.php
my-heli/images/timthumb.php
mymag/timthumb.php
mystique/extensions/auto-thumb/timthumb.php
nash/theme-assets/php/timthumb.php
neofresh/timthumb.php
neo_wdl/includes/extensions/thumb.php
new-green-natural-living-ngnl/scripts/timthumb.php
newspress/thumb.php
pearlie/scripts/timthumb.php
pico/scripts/timthumb.php
postage-sydney/includes/timthumb.php
premium-violet/thumb.php
probluezine/timthumb.php
pronto/cjl/pronto/uploadify/check.php
pronto/cjl/pronto/uploadify/uploadify.php
r755/thumb.php
regal/timthumb.php
shaan/timthumb.php
shadow-block/thumb.php
shadow/timthumb.php
simple-but-great/timthumb.php
simplenews_premium/scripts/timthumb.php
simple-red-theme/timthumb.php
simple-tabloid/thumb.php
simplewhite/timthumb.php
slidette/timThumb/timthumb.php
snowblind_colbert/thumb.php
snowblind/thumb.php
spotlight/timthumb.php
squeezepage/timthumb.php
standout/thumb.php
suffusion/timthumb.php
swift/includes/thumb.php
swift/includes/timthumb.php
swift/timthumb.php
techozoic-fluid/options/thumb.php
the_dark_os/tools/timthumb.php
themetiger-fashion/thumb.php
theory/thumb.php
the-theme/core/libs/thumbnails/thumb.php
thrillingtheme/thumb.php
tm-theme/js/timthumb.php
totallyred/scripts/timthumb.php
travelogue-theme/scripts/timthumb.php
true-blue-theme/timthumb.php
ttnews-theme/timthumb.php
twittplus/scripts/timthumb.php
typographywp/timthumb.php
ugly/timthumb.php
unity/timthumb.php
versitility/timthumb.php
vibefolio-teaser-10/scripts/timthumb.php
vina/thumb.php
whitemag/script/thumb.php
wpapi/thumb.php
wpbus-d4/includes/timthumb.php
wp-creativix/scripts/timthumb.php
wp-newsmagazine/scripts/timthumb.php
wp-perfect/js/timthumb.php
wp-premium-orange/timthumb.php
xiando-one/thumb.php
zcool-like/timthumb.php
zcool-like/uploadify.php
Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.
Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.
Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.
If you have any questions, let us know.
Luke Leal
Denis Sinegubko
Cesar Anjos
Sucuri Malware Research Team
Krasimir Konov
Yuliyan Tsvetkov
Ben Martin
Puja Srivastava
58 comments
Not all of these themes you have listed are approved and in the theme system. The SVN can contain unlisted themes as well.
Very good point Otto. The post has been edited to reflect so.
Thanks as usual!
Best,
Dre
whitepress uses also timthumb!
Suffusion is listed, and as a user of that I feel obligated to mention that timthumb was removed as of version 3.7.5 – the current version is 3.8.2
Hi Barry, thanks for the comment. According to the version scraped from the repository the file still exists in the theme. This is a good time for all theme authors to verify that everything in the repository is up to date and is reflecting properly.
Thanks again for your comment.
Dre
Hi Dre, Thanks for the quick reply. Based on your comment I scraped through the current release and the only mention of timthumb is in a comment in media.php. There is no timthumb.php or thumb.php present in version 3.8.2 – I’m not sure wahat the repository holds, if it’s old versions or what. But if it is an older version, then shame on the person that picks it up, the same as using an older version of WP or any other open source package. I’ll will try to make mention of this to the author on his support forum.
Cheers,
Barry
As the author of Suffusion I feel obligated to point out that whatever
methodology you used to determine your list of themes, it is plain
wrong. TimThumb was removed from the theme about 6
months back.
You probably looked at http://themes.svn.wordpress.org/, then simply
pulled up any themes that might have ever had
TimThumb in it. If that is the case, you should amend your article above
to change to something more appropriate. FYI, this is the list
of all versions of the theme:
http://themes.svn.wordpress.org/suffusion/. Take a look at the latest
version (http://themes.svn.wordpress.org/suffusion/3.8.2/) or for that
matter any version 3.7.4 onwards and let me know if you see the TimThumb script anywhere.
Your scraper is probably doing things wrong if it reports the script being present in the latest versions. I can point out at least a few other themes that haven’t had TimThumb for a while now.
Hi! Thanks for the list with Themes, but there is an Error: The Theme Calotropis from itx don’t use timthumb.php or it has an other name!
Greets from Germany and sorry for my bad english!
Mike, TmoWizard
I use ‘constructor’-theme on 1 site in version 1.57 and on another in 1.62, the latest.
Unfortunally, I can’t find a script named timthumb.php in my FTP.
And on the first look, the script thumb.php in constructor, mentioned in the list,
doesn’t resemble to timthumb.php !
??
cheers volker
Hi,
I used timthumb in very old version of Constructor < 1.0.0
Don't worry, your version is not has security vulnerability
File constructor/layouts/thumb.php it’s not a timthumb script
As the author of Constructor I feel obligated to mention that timthumb was removed as of version 1.0.0 – 15 month ago. The current version is 1.6.2.
add PROSTO, from themeforest, to the list of vulnerable themes http://themeforest.net/item/prosto-business-portfolio-cms-wordpress-theme/
Oh great. So this is why some of my sites that uses timthumb redirects to an unknown page. O_O. Will update all my themes now with timthumb. 😀
also…
monochrome/timthumb.php
ElegantThemes is/was using TT as well: http://www.elegantthemes.com/blog/theme-changesbug-fixes/timthumb-vulnerability-security-update
themes/androida-theme/androida/timthumb.php
http://www.web2feel.com/androida-theme/
Just a heads up but i found that WP-Mobile-Detector Plug in uses this.
None of my themes had it but I’ve used this plugin on a number of my themes and have now deleted it.
Polished theme have the same vuln with 1.19
leetpress also use the 1.14 version auf timtumb
and another 4 themes:
premiumnews/thumb.php
typebased/thumb.php
metamorphosis/thumb.php
mainstream/thumb.php
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
Awesome logic behind! Thanks for sharing this with me!
WordPress templates
I’m clean. =)
Also ReporterBlog, how to fix it?
http://codecanyon.net/item/slider-pro-wordpress-premium-slider-plugin defaults with timthumb but can be disabled.
Had lost 2 hours on this. Here is my sollution:
Server didn’t return the right DOCUMENT_ROOT, so in thumb.php I had to add
$_SERVER[“DOCUMENT_ROOT”] = ‘/domains/www/public_html’;
In my case I’ve looked for the DOCUMENT_ROOT with
echo getcwd();
milkyway/functions/scripts/timthumb.php
OptimizePress can be added to list
Comments are closed.