The open-source WordPress content management system and blogging platform is potentially at risk from a newly reported vulnerability in the Timthumb image manipulation library.
The vulnerability was publicly reported on June 24 by security researcher Pichaya Morimoto, who posted an advisory on the full-disclosure security mailing list. The Timthumb vulnerability could potentially enable an attacker to gain access to the underlying server and be able to modify any file the attacker wants. That’s a nontrivial risk.
Making this issue perhaps even more troublesome is the simple fact that many Timthumb users likely don’t even know they are using the technology, as it is often embedded as part of WordPress themes that self-hosted WordPress users can deploy.
WordPress is freely available for anyone to use and deploy and is also available as a hosted platform on WordPress.com. The WordPress.com platform is not affected by the current Timthumb issue.
This isn’t the first time Timthumb has been the root cause of a security risk for WordPress users. Timthumb was also found to be vulnerable to attack from a flaw first discovered and patched in 2011. A study from Incapsula in August 2013 found that, two years later, the 2011 Timthumb issue was still being actively exploited.
Simply put, there are WordPress users who haven’t patched the 2011 issue, and there is no reason to suspect that this new Timthumb issue will change that.
That said, Daniel Cid, CTO of security firm Sucuri, blogged that the new Timthumb issue doesn’t affect all Timthumb installations. The new flaw is technically found in the webshot feature for taking screen shots.
“The good news is that Timthumb comes with the webshot option disabled by default, so just a few Timthumb installations are vulnerable,” Cid blogged.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.