TimThumb plugin Webshot zero-day uncovered, WordPress websites at risk

ThumbWebsite owners who run a self-hosted installation of WordPress (rather than hosting their site on WordPress.com itself) are being warned about a serious vulnerability that has been discovered in the popular TimThumb plugin.

The TimThumb code is used on many WordPress blogs because of its ability to easily resize images – something that is useful for many website themes.

According to a post on the Full Disclosure mailing list, a zero-day remote code execution vulnerability has been found in the Webshot feature of the latest shipping version of TimThumb (2.8.13).

The flaw could allow hackers to execute commands on vulnerable websites, potentially injecting malicious code. Researchers at Sucuri say that if you are running a vulnerable site, attacks can “create, remove and modify any files on your server”.

Sign up to our free newsletter.
Security news, advice, and tips.

The good news is that TimThumb’s Webshot option is disabled by default, so the vast majority of sites using the plugin are probably not affected. The bad news is that you may not even be aware if your website is using the TimThumb library code as it could have been installed by a third-party theme or plugin.

The Hacker News offers advice for any website owners who are concerned that their version of TimThumb may have the Webshot option enabled:

1. Open timthumb file inside your theme or plugin directory, usually located at “/wp-content/themes//path/to/timthumb.php”

2. Search for “WEBSHOT_ENABLED”

3. If the you find define (‘WEBSHOT_ENABLED’, true) , then set the value to “false”, i.e. define (‘WEBSHOT_ENABLED’, false)

Presently there is no official fix for TimThumb available, but we should all have our fingers crossed that an updated version is released soon. Sadly, TimThumb has a bad reputation for being exploited by hackers who use its security holes to spread malware.

Update: TimThumb version 2.8.14 has now been released, fixing the vulnerability. It’s clear, however, that the developers are a little miffed that they weren’t informed about the vulnerability by the researchers who discovered it.

There’s no indication that the developers would have been reluctant to fix the bug if they had been informed about it responsibly before public disclosure, so it’s something of a mystery why the exploit was made public knowledge without giving them a fair chance to patch the security hole.

The source code for the latest version of TimThumb is available here.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “TimThumb plugin Webshot zero-day uncovered, WordPress websites at risk”

  1. Coyote

    Re: "Sadly, TimThumb has a bad reputation for being exploited by hackers who use its security holes to spread malware."

    I was thinking (before I got to that) that isn't TimThumb even in web scanners for exploits ? And then you confirm its reputation. I am pretty sure w3af does scan for it (quick look suggests yes) and I imagine there are others (I am pretty sure I remember seeing another one that scans quite some vulnerabilities in timthumb). Shame when developers don't take things that seriously …

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.