Timthumb (thumb.php) Security Flaw

Written by Magnus Jepson on August 3, 2011 Product News.

This morning we were made aware of a security flaw within the Timthumb image resizing script, which is utilized in our themes for dynamic image resizing. It is also widely used in other WordPress themes and plugins.

As a result of this security flaw, the author of TimThumb and the author of WordThumb have worked together to release TimThumb v2 which fixes these security issues.

We’d highly recommend that you update your WooFramework like described below.

How to update your theme

Update TimThumb with WooFramework v4.4.2

You need to update to the latest version of the WooFramework (v4.4.2), as we have now moved thumb.php into the framework so it is easier to keep updated. There is also a new function in the framework which will remove your old TimThumb from the theme.

To update your Framework, simply go to your theme menu and select “Update Framework” (see our tutorial on the topic).

Please note that it is required that your site has the latest version of WordPress before you update the framework (minimum 3.2.1 and PHP 5.2.4).

Need further help?

We have created a dedicated forum for TimThumb issues in our support forum. Please make a new post in this forum and we’ll be along to assist you. View the new forum.


180 Responses

  1. john
    August 3, 2011 at 12:49 pm #

    I suppose the more pressing question is why WooThemes use some custom php library instead of WordPress’ own ones?

    • Magnus
      August 3, 2011 at 1:19 pm #

      We have the option to use both native WP Post Thumbnails with dynamic image resizing and the thumb.php for dynamic resizing.

      WP Post Thumbnails will stress the server resources less, but the thumb.php offers some advantages in remote resizing, automatic inline image resizing, crop zoom adjustment etc.

      So most of our themes have the best of both worlds, and you can choose which one to use. 🙂

  2. Soulhuntre
    August 3, 2011 at 1:15 pm #

    I have the same question. Not that the WP core is immune to these sorts of bugs but the less chunks of un-audited code we can have laying around the better.


    • Magnus
      August 3, 2011 at 1:20 pm #

      See comment above. Feel free to disable thumb.php in your Dynamic Images 🙂

  3. Thomas
    August 3, 2011 at 2:50 pm #

    The tim thumb script you link to still has a the security flaw, and replacing your thumb.php script with to timthumb.php without renaming will break functionality if you rely on dyna,oc resizing.

    This post has serious errors and is advising a course of action that will leave users sites vulnerable. You should take down the post until you can get it right.

    • Tom
      August 3, 2011 at 3:41 pm #


    • Magnus
      August 3, 2011 at 8:09 pm #


      According to the latest fixes the security fixes have been applied in 1.34


      The post says to grab the code from the link and replace your thumb.php in the themes folder: “…and replace your thumb.php file in your theme folder.”

  4. Tom
    August 3, 2011 at 3:41 pm #

    Not very smooth.

    • Magnus
      August 3, 2011 at 8:13 pm #

      Did you have trouble updating your file? What wasn’t smooth? 😉

  5. Trace Richardson
    August 3, 2011 at 5:01 pm #

    After replacing this in a ton of themes with the version provided by Woo above, I’ve noticed the comments above about the version Woo is linking to being insecure. What say you, Woo?

    • Magnus
      August 3, 2011 at 8:10 pm #

      We’ll check with Ben Gillbanks again who is the author to confirm that version 1.34 is secure. I’ll also update the post on how to make it not use the remote sites.

  6. James
    August 3, 2011 at 7:17 pm #

    Is the linked to version safe or not? I don’t want to make any changes until I know it’s secure!

    • Magnus
      August 3, 2011 at 8:21 pm #

      It should be safe, but to make sure yours is 100% safe see the updated blog post above.

  7. lala
    August 3, 2011 at 8:01 pm #

    We need your answer ASAP, is very important to know if the timthumb.php linked is safe or not. I’ve spent half day updating the linked script 🙁 .

    • Magnus
      August 3, 2011 at 8:12 pm #

      The script has been updated yesterday and today with submitted security fixes, but we’ll double check with the author. Also see the post where I’ve added info on how to disable remote hosts completely.

  8. lala
    August 3, 2011 at 8:07 pm #

    I think you need to update too woo tumblog plugin, in /functions directory .

    • Magnus
      August 3, 2011 at 8:12 pm #

      Thanks we’ll update the plugin as well 🙂

    • jeffikus
      August 19, 2011 at 12:22 pm #

      Thanks for letting us know – will be updating today!

    • jeffikus
      August 19, 2011 at 2:49 pm #

      V2.0.6 is now available in the WordPress plugin repository with updated TimThumb 🙂

  9. Marcus tibesar
    August 3, 2011 at 10:23 pm #

    This seems a bit over reactionary. I believe I will just wait until a regular Canvas theme update is published.

    • Magnus
      August 3, 2011 at 10:26 pm #

      All themes have been updated with latest thumb.php, but we aren’t updating the version number of our themes. Follow the instructions in the blog post above to update your thumb.php.

      • Ahran Dunsmoor
        August 9, 2011 at 4:52 pm #

        Why not bump the version number?

        It would be nice to see the fix for the security exploit listed in the revision history. That way I’d know that was the version I wanted without having to come read the comments of this blog post.

        Also, “We’d highly recommend that you grab the latest version of the theme *and* update your thumb.php” is a little confusing. I added emphasis on “and” in your post. If the theme has been updated then why the need to replace thumb.php.

        I’m not trying to be pedantic. When dealing with security problems please be as clear and simple as possible.

        Something like:

        1. We have updated the latest version of every theme with a fixed version…
        2. If you can not update your them to the latest version then…

        • Magnus
          August 9, 2011 at 6:06 pm #


          Since this is a mass update to all themes we have elected to not update each changelog.txt and style.css to save time. The thumb.php has been updated several times since this blog post went live, so to continually push out latest updates we have to drop version updates in the themes.

          By grab the latest version, we mean download it from our website and then update thumb.php on your site(s). There is no need to update the whole theme as that is a bigger process.

          Hope that makes it a bit clearer 🙂

      • Derek Mossman Knapp
        August 21, 2011 at 11:05 pm #

        I am not offered the option to update the framewrok as your tutorial states. I am a little tired of going around in circles here.

        What does on do if the option of updating framework is not an option ? reinstall and lose custumizations ? surely not?

        You guys have been great — until this happened and you ahve dropped the ball and created a real headache and time sucker for people who backed you…

        real bummer

        please get this sorted to date i do not see anything i can do but start from scratch

        • Nick Daugherty
          August 23, 2011 at 2:25 am #

          WooThemes is going to tell you to submit a ticket in their Support Forum.

          But I would bet that you haven’t updated your Coffeebreak theme in awhile. The “automatic update” of the framework is a fairly new feature.

          Try updating your theme manually — rename your current theme folder to something else… don’t delete it from your FTP just yet.

          Then test your site to see if it works with the vanilla version of Coffeebreak.

          For your customizations, you DID put them into a child theme, right?? 🙂

      • Derek Mossman Knapp
        August 21, 2011 at 11:06 pm #

        what does one day with this error ???

        Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in /home1/garagewi/public_html/vilkun-berries/wp-content/themes/coffeebreak/functions/admin-functions.php:2303) in /home1/garagewi/public_html/vilkun-berries/wp-content/themes/coffeebreak/functions/admin-theme-page.php on line 66

        I am at wits end …

  10. shawn
    August 3, 2011 at 11:22 pm #

    You may want to also check your server to make sure that your sites were not already compromised due to this security hole.

    I would strongly suggest that everyone ‘grep -r base64_decode’ your server files and make sure there are no long strings (good sign you’ve been hacked).

    There are also a ton of other steps that everyone should be taking, but that would take much more detail than I can provide in a comment, nor am I an expert, just a prior victim.

    The real problem that is not even being talked about so far, is just how bad this really is. Considering that virtually anything can be injected, it is not out of the realm to understanding that a compromised site ‘really’ can compromise the entire server on many shared hosts.

    • yak
      August 4, 2011 at 6:37 am #

      To me, the worst part of timthumb has always been the server load it generates. Its just a really inefficient script.

    • Laurent MATIGNON
      August 4, 2011 at 8:51 pm #

      How do you do that ? Do you have anything to help me to know this ?

      On my website there is a major issue for about 3 weeks and I really dont know how to solve it 🙁 . Firstly my 4 oldest posts were republished but their content was replaced with some kind of ad… Weird. And now all my oldest posts are getting republished one after the other : this time their content is not altered but this is really annoying anyway !
      That’s the reason why I need to know if my website was compromised… Thanks for your help !

      • shawn
        August 5, 2011 at 7:51 pm #

        Yup, that is a huge sign that you have been compromised. There is no way to tell from your post if it came as a result of timthumb or not, that will take a ton of investigation.

        I would suggest reading through the wordpress forums for answers on how to recover. There are so many steps involved, that I can’t possibly detail them all in a comment. There are also a number of great articles on this which you can find via google.

      • Kevin Gilbert
        August 5, 2011 at 8:14 pm #

        Check out sucuri.net. They can clean your site and they have software that works within WordPress to keep you from being infected with malware in the future.

  11. Aryan
    August 4, 2011 at 7:58 am #

    It takes too much time to load.

  12. Arpan Kar
    August 4, 2011 at 11:54 am #

    Why am I not able to get any thumbnails or images in the featured posts in the slideshow?
    I switched to premium news, from comfy theme..
    can you plz help me out?

    • Magnus
      August 4, 2011 at 11:56 am #


      We can only provide support to our members in our support forum.

  13. chaos1
    August 4, 2011 at 7:54 pm #

    I received an e-mail from Mark Maunder, he forked timthumb and rewrote the script. Here is his post about the secure rewrite: http://markmaunder.com/2011/a-secure-rewrite-of-timthumb-php-as-wordthumb/


    • Magnus
      August 4, 2011 at 8:04 pm #

      Looks very promising, but as this is a rewrite of the original timthumb, there are bound to be errors. I tested it by replacing my thumb.php code and already had some images not work, so this isn’t something we can implement into our themes now, but everybody should feel free to test it themselves by copying the source code into their thumb.php file.

  14. Richard Best
    August 5, 2011 at 12:25 am #

    Hi there. Has the timthumb script you’ve pointed to online been further updated? I ask because I can’t see any line in the code which says:

    define (‘ALLOW_EXTERNAL’, FALSE);


    • Richard Best
      August 5, 2011 at 12:26 am #

      I should clarify by saying I can’t see any line which says:

      define (‘ALLOW_EXTERNAL’,…

      • Magnus
        August 5, 2011 at 3:15 am #

        Seems this variable has been removed in 1.35 so you only need to remove the $allowed sites array.

        • Richard Best
          August 5, 2011 at 3:31 am #

          Great, that’s what I’ve done to about 8 sites. Thanks Magnus.

  15. Jon
    August 5, 2011 at 1:35 am #

    I don’t use Woo themes, I had nothing against them in the past I just never have (I mostly build custom child themes, and am a Thesis refugee and now big Genesis fan), however reading this thread I’m much less inclined to _ever_ use a Woo theme in the future.

    Seriously? you can’t seem to be bothered to do your OWN security audit of something that you’re bundling with your themes and then stand behind it? Is the version of timthumb you’re linking to secure or not? It’s really shouldn’t be difficult question…

    …and not indexing version numbers is a double #fail in my book.

    • Magnus
      August 5, 2011 at 3:22 am #

      We have done both our own and hired external sources to do security audits, and we did not pick up these issues with thumb unfortunately.

      All our new themes have the option to use WP post thumbnails instead, so you don’t need to use this 3rd party script. It dynamically resizes these with WP’s own functions, so you can modify your image sizes on an existing site and it will update them straight away.

    • Kevin Gilbert
      August 5, 2011 at 7:27 pm #

      Sorry to hear that you are “much less inclined to _ever_ usea a WooTheme. You would be missing out, in my opinioni. I’ve been a WooThemes user for a while. Their themes are among the most beautifully designed and best coded around. I’ve looked at quite a few, including StudioPress and Thesis. I admire Brian Gardner and what he’s built at StudioPress. He is a class act and one of the biggest reasons that I’m using WordPress at all. If you’ve never used WooThemes, why are you over here posting anything at all? What have you added to this conversation? And why the need to take the tone you’ve taken in your comment? It really wasn’t necessary, especially if you’re never, and still never, plan on using WooThemes. Kind of troll-like behavior in my opinion.

      • Jon
        August 7, 2011 at 8:16 am #

        Kevin – Just because I’ve never built a site using a Woo theme doesn’t mean I don’t support or manage sites that do. I could of been more clear about that but didn’t think it really matter why I was here. Regardless, the reason I came was to see what I needed to do to update those sites I manage that do use Woo, which is honestly just a few and none of which I built.

        As I said, I have had a lot of respect for Woo themes over the years, but again, that doesn’t change that this response disinclines me from ever using a Woo theme in the future. Sorry the tone was so harsh, reflecting on it, it was in part that I hold Woo to a higher standard and was disappointed.

        What I would expect of Woo and of any major theme developer is to come out and clearly say “We’re aware of this security threat and we’re working on it, as an interm solution you can manually go in and replace your thumb.php file with the latest updated version, when we’re sure that this security flaw is completely fixed we’ll release a +x.x.1 update to all the affected themes so you can update and know you have latest version.”

        • Kevin Gilbert
          August 8, 2011 at 3:39 pm #

          Thanks for the clarification. I don’t disagree with the sentiment, but it definitely seemed to be a pretty harsh tone from someone that started out the comment by saying they didn’t use WooThemes. I think my take was more that I’ve grown to trust the WooTeam, and I felt that as the events unfolded, they would provide the best info as they had access to it. At the end of the day, I have daily and weekly backups that can be used to restore a site within an hour, tops, if need be. Worst case, something bad happens, I restore to a previously known good state. Not ideal, but sometimes things happen. Success to you as you continue to use WordPress and support clients that do.

  16. Finch
    August 5, 2011 at 4:19 am #

    I’m not a programmer or server expert. I simply want to ensure my sites are not affected by this vulnerability but am confused by all the advice here. So what is the best course of action to take right now?

    Have all Woothemes been updated since this occurred and thus we should update right now (i.e. I only installed some themes last week, have they ALL been updated and need replacing?)?
    Or will that not make a difference if the recommended and latest course of action is to “disable the allowed remote sites completely” as per latest post update here?

    Even if we choose to use WP post thumbnails instead, wouldn’t thumb.php still reside on the server and thus pose a risk? (Dumb question maybe, like I said I’m not a programmer)…

    • Magnus
      August 5, 2011 at 8:16 am #


      I’ve updated the blog post to make it easier for you to see and download the secure version of thumb.php 🙂

      All themes are using the production version of thumb.php which do have 3 sites in the $allowedsites array.

      Only the thumb.php needs replacing inside the theme folder, which you can do via Apperance > Editor like shown in the blog post.

      If you want to use WP Thumbnails instead, disable thumb.php in Dynamic Images and remove it from your theme folder.

      Hope that clarifies the issue even more 🙂

  17. James
    August 5, 2011 at 7:56 am #

    I can’t help but think there Is a lack of support/certainty about what the best action to take is. I went to upgrade my thumb file and it still has the ALLOW_EXTERNAL function yet above a comment states that the new version removed this?! So what did I update? In my opinion, an update to this post needs to be published, providing the definitive steps to be taken!

    • Magnus
      August 5, 2011 at 8:17 am #


      Timthumb is contintuously updated by the author when users supply fixes to it. The latest version is 1.35 and I’ve updated the blog post with a modified version of this which is secure.

  18. Finch
    August 5, 2011 at 9:30 am #

    Would setting allowed sites to false (which it was anyway) and removing the site list from the array do the job too? That’s what I did earlier before this post was updated.

    • Magnus
      August 5, 2011 at 10:00 am #


      Yes that is what we have updated the post with 🙂

  19. Magnus
    August 5, 2011 at 7:05 pm #

    Update to blog post:

    Following the security issues in Timthumb, WordThumb has been released. We’ve tested this with our themes and it works quite well and is backwards compatible with Timthumb so you can simply replace the code in our themes thumb.php file.

    Feel free to grab WordThumb and copy it into your thumb.php and see how it works for you. If you find any bugs you can report them directly to the author. We’ll do some more testing and hope you can report back if it works for you or not, then maybe we can update our themes to use it instead, as it promises to be faster and easier to setup (no cache folder to CHMOD when you install the theme).

  20. Scott Semple
    August 5, 2011 at 7:43 pm #

    Was this warning sent out as an email to all Woo users? I heard about it through a different theme vendor and then checked the Woo blog, but considering the possible severity of the problem, it would have been good to have received an email warning right away.


    • Magnus
      August 6, 2011 at 9:25 am #

      Hi Scott,

      No we didn’t send out a warning yet as we were waiting on a complete fix, which now has come in the form of TimThumb v2.0 🙂

      We’ll most likely send out an update on Monday.

  21. Magnus
    August 6, 2011 at 9:23 am #

    Good news!

    Ben Gillbanks and Mark Maunder has worked together to fuse TimThumb with WordThumb to release TimThumb version 2.0 which fixes the security issues and improves the script.

    All our themes have been updated and you can see the blog post on how to update 🙂

  22. Mark Bailey
    August 6, 2011 at 7:45 pm #

    Thanks for addressing this and updating us with all the new developments!

    With TimThumb 2.0, is it still advised to further patch by deleting the allowed sites, or is it safe to leave them in?

    • Magnus
      August 7, 2011 at 10:57 am #

      V2 is secure so you dont need to edit it 🙂

  23. James
    August 6, 2011 at 9:59 pm #

    I have a few questions about version 2:

    Should ALLOW_EXTERNAL be set to true (default) or changed to false?

    Also, should the 4 ‘ALLOWED_SITES’ be removed or left in there?


    • Magnus
      August 7, 2011 at 10:57 am #

      Nothing needs to be changed in V2 🙂

  24. Louise
    August 7, 2011 at 3:51 pm #

    I was about to check out one of the woo themes as I’ve got awful problems with the theme I’m using right now with another premium theme company. And the problem with the above!! So if I choose a woo theme now have they been updated so no problems? I’m a newbie to blogging and don’t want to end up with technical problems!

    • Magnus
      August 7, 2011 at 5:58 pm #

      Yes all themes have been updated with TimThumb v2 🙂

  25. Louise
    August 8, 2011 at 11:01 am #

    Fantastic!!! I’m now going to try out my trial 14 days, that’s a really brilliant idea, especially for newbies like me!!

  26. James
    August 9, 2011 at 12:03 pm #

    I, for one, think the response in the WordPress community in general, and here at Woo in particular, was spot on. THIS is why you pay for a premium theme. Not so you won’t ever have issues. Rather, so when you DO, there’s someone to help sort it out.

    Question: What is your recommended strategy for testing your site for previous intrusion? VaultPress is not in my budget. I suppose I can reinstall WP to overwrite any core files easily enough, but is there a way to determine if there has been an intrusion and your site is a ticking time bomb?

    • Magnus
      August 9, 2011 at 1:52 pm #

      Hi and thanks for comment James 🙂

      I believe Mark Maunder has some good info in his blog post on ways to check your server.

    • Kevin Gilbert
      August 9, 2011 at 2:28 pm #

      You might give sucuri.net a look as well as websitedefender.com. The latter is still in “Beta” but you can try it out for free. Both have at least a single free scan of your site to help check for malware. Perhaps one of the best tools, that I haven’t seen anyone specifically mention is Google’s Webmaster Tools. If you don’t have an account and haven’t set up your website in GWT, you should do that ASAP. Google will actually let you know if the bot detects malware. I’ve had a client for which Google’s notice re: malware was quite helpful.

  27. Robert Neu
    August 15, 2011 at 2:14 am #

    I’m actually pretty impressed with how quickly and senselessly this issue was fixed. I’ve dealt with a lot of other places that would have taken a month or more to deal with something like this, which is totally ridiculous in my opinion. Keep up the good work guys.

    • Robert Neu
      August 15, 2011 at 2:15 am #

      *seamlessly not senselessly. Auto-correct sucks sometimes…

  28. John P.
    August 15, 2011 at 7:47 pm #

    I noticed the latest Framework pulls TimThumb into the functions folder. Based on the source code, I assume the ‘optional’ config file needs to reside in the theme’s root directory. Right?

    • Magnus
      August 15, 2011 at 8:32 pm #

      Hi, yes we just updated this today. Optional config file goes in theme folder.

  29. elmalak
    August 16, 2011 at 3:14 pm #

    I’ve updated my thumb.php file according to your advice above, however, it seems my site has already been infected as it keeps redirecting me to

    Is there a way to fix that?

    Many thanks.

    • Magnus
      August 16, 2011 at 7:56 pm #

      Mark Maunders blog posts should have some good info on how to check your server, and there is also some info here: http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html

    • Mike
      August 18, 2011 at 5:44 pm #


      Look in your .htaccess file, it is hidden down and way to the right… you will see a bunch of redirects

      • Bart
        August 23, 2011 at 3:43 pm #

        They will also leave a backdoor file in your (Woo) themes folder called wp.php. Delete that file.

        They’re coming in with user agent ‘firefox/3.5.5 gtb5’ and make a POST request to ../wp-content/themes/woo-theme/wp.php HTTP/1.1

  30. Silencer
    August 16, 2011 at 4:22 pm #

    can you please do some lobbying for an improvement in WP media (library) features? You have definitely more influence than us average users.

    • Magnus
      August 16, 2011 at 7:55 pm #

      If you see the State of the Word video, Matt M gave some good indications of a re-work of the media library 🙂

  31. Callum Greens
    August 18, 2011 at 4:03 pm #

    I just received an email from Woo about this two minutes ago…. now I noticed it was posted on the 3rd august? Luckily everything is up to date now!

    • Mike
      August 18, 2011 at 5:07 pm #

      Yes, the 3rd…and today is the 18th!! Too little to late for many of us…

      • Adii Rockstar
        August 18, 2011 at 5:24 pm #

        We’re very sorry that we didn’t e-mail this out earlier. There are a few factors that influenced us to make the decision not to send it out until now.

        • Tim McDaniel
          August 19, 2011 at 7:06 am #

          If you get time, read the book, Blunder, by Zachary Shore. It discusses why smart people make bad decisions.

          Not emailing everyone was a bad decision. Don’t do it again. 🙂

          • Magnus
            August 19, 2011 at 7:57 am #

            To be honest we didn’t think it was a major security issue, but when we learned that sites were indeed getting infiltrated we knew it was needed. We also had to patch the framework and add the update TimThumb functionality which took some extra days to test to make sure it works.

            But yes, we should have emailed everybody earlier, agreed, but I do think we were one of the first to do so…

  32. AndroidWorkz
    August 18, 2011 at 4:15 pm #

    I am a php developer (for 11 years now). I want to thank Mangus for dealing with this issue in a professional manner. ALL scripts encounter security challenges in their lifetime… WordPress has certainly had it’s share. The most important thing to remember is that the vulnerability has been addressed. It is also important to remember that it is the hacker who has chosen to profit through illegal and specious means rather than honest ones.

    • Magnus
      August 18, 2011 at 11:51 pm #

      Thanks for the kind feedback! 🙂

  33. hedoux olivier
    August 18, 2011 at 4:18 pm #

    Is this security issue affects the old TeemThumb plugin for EE you use to dev in the past and for why i used to be a client of woothemes ?

    • Adii Rockstar
      August 18, 2011 at 5:25 pm #

      We’re not sure. Drop us a mail on support@woocommerce.com & we’ll put you in touch with our EE developer.

  34. Lynn Lively
    August 18, 2011 at 4:38 pm #

    We recently received this from our host, 1and1 Abuse Department.

    You received an alert concerning the security of your 1&1 account earlier. Our team of experts has now analyzed the incident. They ascertain that your 1&1 hosting account has been attacked via an insecure script you installed on your webspace.

    You will find an analysis of the attack and instructions on how to secure your webspace against future attacks in this e-mail.

    1. Analysis of the attack
    1.1 The hackers processed the attack through a security leak in your software

    – TimThumb

    The website they are referring to has been compromised and the administration panel and website are now taken over.

    What is your method of recovering the hours of work to create the website in this sate?

    • hedoux olivier
      August 18, 2011 at 5:23 pm #

      Proceed a daily backup ! That’s the only solution… See whith your host provider 1&1 what options they’re giving to there client about daily backups…


  35. Pavel Bambasek
    August 18, 2011 at 4:58 pm #

    I updated Timthumb, but I still see in the menu “Update Timthumb.” How can I delete this menu item? Thanks

      August 18, 2011 at 6:02 pm #

      I keep getting this message also. “Old version of TimThumb detected in your theme folder. Click here to update.”

      I have updated to 4.4.1

      Does that mean I’m fixed ? (I have 2 sites with WooThemes)

      • Magnus
        August 18, 2011 at 11:50 pm #

        You need to click the link and update your old thumb.php.

  36. G. A. Dietrich
    August 18, 2011 at 5:19 pm #

    If I have done some customization work to the CSS will this Framework update change any of that?

    • Adii Rockstar
      August 18, 2011 at 5:25 pm #

      Nope, you can update the WooFramework without fearing any loss of modifications.

  37. rouzbeh FARZANEH
    August 18, 2011 at 5:56 pm #

    Thanks for your update about this security issue, I have massively modified many files of my templates plus the style.css and therefor I’m not really in a position to click on the update button, would it be possible to just provide us with the new php file to replace in order to ease up the process?

    • Adii Rockstar
      August 18, 2011 at 11:09 pm #

      Be sure to make a backup of your theme before you upgrade. And the WooFramework will only update your functions.php file and the /functions/ folder, thus preserving all of your modifications.

  38. Alan Petersen
    August 18, 2011 at 6:24 pm #

    Hey Woos,

    Thanks for the warning and for making the process to take care of the problem so easy.

    As a non-techie type, I was dreading the “process” so I was delighted that it took about four clicks and a minute to patch things up.



    • Adii Rockstar
      August 18, 2011 at 11:10 pm #

      Glad that it worked out so well for you! 🙂

  39. william jacobson
    August 18, 2011 at 6:37 pm #

    At Update Framework, I see that even though my version is different that the current version, a message says No Upgrade Needed. Does this mean that the timthumb security issues are up to date?

    Welcome to the WooThemes Framework Updater. This updater will collect a file from the WooThemes.com server, download and extract the files to your current theme’s functions folder.

    → Your version: 2.9.27

    → Current Version: 4.4.1

    No upgrade needed. You are already running the latest available version.

    • Ryan Ray
      August 18, 2011 at 9:04 pm #

      Frameworks older than 3.5 need a manual update, just upload an updated version of the theme or the functions folder.

      Be sure to back up your theme before doing anything to it.

  40. I won't give my name until my site is fixed...
    August 18, 2011 at 7:02 pm #

    What now?

    → Your version: 3.0.05
    → Current Version: 4.4.1
    No upgrade needed. You are already running the latest available version.

  41. I won't give my name until my site is fixed...
    August 18, 2011 at 7:07 pm #

    What now?

    My version is 3.0.05, but the upgrade sais: “No upgrade needed. You are already running the latest available version.”

    • Ryan Ray
      August 18, 2011 at 9:16 pm #

      So sorry about that.

      From one of my responses above…

      Frameworks older than 3.5 need a manual update, just upload an updated version of the theme or the functions folder.

      Be sure to back up your theme before doing anything to it.

  42. Jackstin
    August 18, 2011 at 8:10 pm #

    Does Canvas theme use TimThumb?

    • Ryan Ray
      August 18, 2011 at 9:17 pm #

      Yup. Be sure to update your theme files appropriately. 🙂

  43. April
    August 18, 2011 at 8:41 pm #

    1) Thank you for making the update so simple. You guys rock.

    2) I was only made aware of this after (1) we got a warning that our site was hacked from our host and RSA and (2) your newsletter this morning.

    ONE REQUEST: Can your wonderful Woo Tem please email security risks immediately instead of waiting?

    We don’t mind extra emails. Thank you =)

    • Adii Rockstar
      August 18, 2011 at 11:11 pm #

      Yep, we’ll definitely get on e-mail much sooner if we ever encounter a similar problem in future.

  44. Mrs B
    August 18, 2011 at 9:57 pm #

    I updated and now my blog has no thumbnails!!!!

    • Adii Rockstar
      August 18, 2011 at 11:11 pm #

      Either send us a mail or create a ticket in the support forum and we’d be more than happy to help!

  45. Frank McClung
    August 18, 2011 at 10:13 pm #

    I second the email security risk announcements.

    • Shannon
      August 20, 2011 at 6:20 am #

      Thirded! I have some major cleanup to do now.

      One suggestion: when you send out an email with a major security issue like this, please put something to that effect in the subject line rather than the easy-to-overlook “Announcements”… I’m sure you feel our pain with email triage and that would be a huge help 🙂

  46. Skyrocket Websites
    August 19, 2011 at 2:09 am #

    We normally modify the TimThumb script to allow it to resize images from our parent domain, as most of our sites are set up with WP Multi-site.

    $ALLOWED_SITES = array (

    Now that thumb.php is in the WooFramework, how would you recommend handling this? Our customizations would be overwritten every time we update the WooFramework.

    • Skyrocket Websites
      August 19, 2011 at 2:17 am #

      Answered my own question — simply create a file called ‘timthumb-config.php’ with the necessary modifications and place it in the theme folder (the main folder, not inside /functions).

  47. Dwayne
    August 23, 2011 at 3:40 pm #

    The ‘view new forum’ link goes to a 404…


  48. Dave
    August 23, 2011 at 9:54 pm #

    This fix was too late. My site was hacked thanks to tim thumb. Php code was added to the theme header which created an iframe that forced malware download and install silently.
    I have always had problems with tim thumb within woothemes as it causes a lot of errors. If the server is set to show the errors, the entire theme breaks making it impossible to troubleshoot an issue that may be causing errors to be displayed.
    I contacted your support staff about this a while back and they simply told me that NONE of the servers you have tested the theme on shows the error. That means that you do not test any of your themes on servers which have errors enabled and displayed. How can you be so sure that your themes do not produce errors if you are not testing them with errors enabled? When I pointed this out, your staff told me to contact the developer of tim thumb. Why should I? I didn’t pay them for their work.

    Sorry if I seem annoyed, but this oversight has caused a lot of damage, work, loss in earnings and loss in reputation, not to mention the reduced ranking on search engines due to the malware infection.
    And that is not to mention all the timezone errors that your themes produce. I find it very hard to understand why you would not test your themes with errors displayed.

    • Magnus
      August 24, 2011 at 12:30 pm #


      Sorry for the trouble you’ve had with TimThumb.

      I’m not sure exactly which error you were receiving before, but we do test all our themes with error reporting on. But TimThumb won’t work on all servers, but that should not make the theme stop working. I haven’t seen any cases of this.

      You have the option of not using TimThumb in many of our themes though, so just use the native WP Post Thumbnails instead if you don’t want to use it.

      I understand your frustration regarding the security issue, and we share the frustration as we’ve also had sites under attack.

      Not sure what the timezone errors are so please post in the forum and we’ll look into that.

  49. Stuboy
    August 23, 2011 at 9:54 pm #

    I thought I had updated the Framework the other day having clicked on the link in WordPress to update the framework.

    However, when I viewed my site earlier today, rather than having the little WordPress banner at the top of my site I had little inconspicuos links to Viagra sites etc etc. Does this mean I have been compromised? I also accessed my wp-admin area which now advised I carried out another update as my Timthumb was out of date!!

    Confused but just need to know I haven’t been hacked, Sucuri scan say’s I’m OK would that be accurate? The little Viagra links concern me!!

    • Magnus
      August 24, 2011 at 12:32 pm #


      This sounds like you have been compromised, probably before you updated your framework.

      If you get the timthumb update notification that means that the thumb.php is still in your theme folder. Delete it manually if the update doesn’t work.

  50. Dan
    August 23, 2011 at 10:45 pm #

    It would help a lot if the WT framework updates issued alerts in the normal WP update alert area or just somewhere on the dashboard. A security-related email list or feedburner feed would be nice too.

    • Magnus
      August 24, 2011 at 12:32 pm #

      Yep we are looking into adding a dashboard notification for future updates 🙂

  51. Dan
    August 23, 2011 at 10:49 pm #

    How about making the framework update availability prominent in the dashboard, maybe even use the regular WP update area?

    • Magnus
      August 24, 2011 at 12:33 pm #

      Yes we’ll look into adding a notification in admin area if framework update is needed.

  52. Dave
    August 23, 2011 at 10:51 pm #

    It likely does. The main problem is that when you update the framewhere, it does not pop up and say that there is an update for tim thumb. It will only show this warning when you click on another link. So, if you only went on your site to update the framework, you will not have seen the tim thumb update notice.

    On a separate note, one of my sites is using the Therapy theme and it does not have any framework settings or framework update button. I am using the latest version of wordpress and the theme states that the framework version is 4.0.0. When i visit my site with wp-admin/admin.php?page=woothemes_framework_settings at the end, it says “You do not have sufficient permissions to access this page.” and the same goes if I try to visit the update page. Neither the settings or update links show under the theme. What can I do to update the framework?
    I have tried deleting the whole theme and uploading it again with the same results.

    It seems that the tim thumb script has been updated a lot this month. Which version are woothemes using? As this post is from the 3rd, I would guess you are using the update from the 2nd. If that is the case, do you plan on updating the same way for all other available tim thumb updates?

    Many thanks

    • Magnus
      August 24, 2011 at 12:35 pm #

      Hi Dave,

      Please post any issues directly in the forum as advised in the blog post so we can assist you better.

      We are using 2.8 of TimThumb which is the latest. We always keep the latest in the WooFramework now, so you just have to update to latest WF.

  53. Dan
    August 23, 2011 at 11:15 pm #

    Sorry, I didn’t mean to post twice on this post.

    Dave, if you are replying to me, I agree with you except to note that there is NO dashboard notice about the framework needing an update — at least if you are using the TMA theme. You have to go 2 or 3 screens into the framework and read the very downplayed current version # vs. your version # screen, follow it, and then make the second timthumb update as you noted. (As of today.)

  54. Randy Giusto
    August 23, 2011 at 11:19 pm #

    When I updated my one sight with the Busy Bee theme, the “timthunmb problem” message was there and I successfully upgraded the framework and everything worked.

    When I tried to do the same with my original blog on the headlines theme there was no mention of timthumb, and when I upgraded the framework the whole site crashed and I had to have my hosting provider rebuild it from a backup. This happened before with the this site and the Headlines theme.

    I can’t seem to upgrade the theme or the framework via the WordPress dashboard for this site, but yet I can for my other site (same hosting provider) running the Busy Bee theme. How come?

    Should I just change Woo themes? Will that correct the problem? Haven’t you guys moved theme and framework upgrades fully into the WordPress dashboard by now so I don’t have to mess with FTP SW?

    • Randy Giusto
      August 23, 2011 at 11:21 pm #

      forgot to add that I’m running Headlines 2.4.1 and Framework 2.6.5 on this site and have never been able to upgrade either successfully, like the other site I manage.

    • Magnus
      August 24, 2011 at 12:37 pm #


      Please note that the framework and TimThumb need PHP 5.2.4 and WordPress 3.2.1 as described in the post.

      If you need assistance with any further issues, please make a post in the support forum as described in the post.


  55. cleverdaisies
    August 25, 2011 at 2:38 am #

    Hi there,

    A client of mine is using one of your themes, and we were able to successfully update the framework, however we are having issues updating the timthumb script.

    This is the error that we are getting.

    Warning: fopen(/home/superkit/public_html/wp-content/themes/featurepitch/featurepitch/thumb.php) [function.fopen]: failed to open stream: Permission denied in /home/superkit/public_html/wp-content/themes/featurepitch/featurepitch/functions/admin-functions.php on line 3134

    For the time being I have manually replaced the thumb.php with an updated version, however it is still showing the red bar in the admin panel to update.

    Any help would be greatly appreciated.

    Thank you!

    • Magnus
      August 25, 2011 at 9:38 am #


      Simply delete the thumb.php in your theme folder to remove this error. It’s just trying to open and check if it is the old version. If it doesn’t exist then it doesn’t check.

      • cleverdaisies
        August 25, 2011 at 10:39 pm #

        Hi Magnus! That worked great.

        Thank you!

  56. Vern L
    August 25, 2011 at 4:04 am #

    Infected by malware – and trying to clean site – lost all menus above and below the header – why??

    Thanks for any help.

    • Magnus
      August 25, 2011 at 9:40 am #


      Please post in our forum as described in the post for us to provide assistance 🙂

  57. Tracey
    August 25, 2011 at 3:31 pm #

    Hi there,

    does this only affect the Woo Framework, or older themes as well? I use Fresh News (purchased about 2 years ago) and would like to now if my site will be affected?


    • Magnus
      August 25, 2011 at 3:55 pm #

      Yes there should be a thumb.php in the theme folder which you’ll need to update to latest version http://timthumb.googlecode.com/svn/trunk/timthumb.php
      Post in our forum if you need assistance 🙂

      • Tracey
        August 25, 2011 at 6:40 pm #

        Thanks Magnus – I just deleted thumb.php, added this timthumb.php – and all SEEMS ok… fingers crossed…


  58. kim
    August 26, 2011 at 8:30 pm #

    I have an old theme and none of the tutorials for patching the tomthumb or updating the framework are applicable. Premium News 1

    Any suggestions?



    • kim
      August 26, 2011 at 8:34 pm #

      I guess I should also mention, that I did get the warning on my dashboard about the patch. I was hacked yesterday and I am in the process of cleaning up my site.



    • Magnus
      August 27, 2011 at 10:17 am #


      Premium News 1 requires you to simply update thumb.php to latest version found here: http://timthumb.googlecode.com/svn/trunk/timthumb.php

  59. Steve Dimmick
    August 27, 2011 at 2:13 am #

    Thanks to Magnus, Adii and the entire WooThemes team!!!
    Your help in resolving this issue has been worth an entire year’s cost of support – all in one go 😉

    My sites and my clients’ sites have now been updated – a very simple process thanks to your most sophisticated framework design.

    I completely echo the sentiment of the others here who pointed out that this is why you invest in premium themes with an awesome company who knows how to support their clients.

    Thank you!

    • Magnus
      August 27, 2011 at 10:16 am #

      Great to hear Steve! Glad we could help out 🙂

  60. Aaron McCarter
    August 30, 2011 at 3:20 am #

    my site running Coda was hacked 🙁 updated framework & thumb.php according to your directions. Still getting redirected every day…

    discovered a bunch of timthumb.txt files in the wp-content/themes/coda/cache
    upon further inspection, the txt files seem to contain scripts

    Also, thumb.php seems to still be in two places:

    Why is thumb.php in two places? Is this correct?

    Any word on how I can close the remaining vulnerability???


    • Adii Rockstar
      August 30, 2011 at 7:29 am #

      You should follow our instructions in this post to fix the vulnerability ASAP. Then please give us a shout via the support forum, where we can further advise on how you could secure & clean your server.

      • Aaron McCarter
        August 30, 2011 at 4:13 pm #

        yep, followed your instructions, as indicated in the original post. I guess I’ll head over to the forum to get help.

  61. Igshaan
    August 30, 2011 at 11:16 am #

    Hi Guys, having been following this thread and are now even more confused. I do my own websites and not a techie – which is partly the reason I purchased Woothemes. Magnus keeps refering to the blogpost that outlines how to updates and fix the vulnerabilities.

    My site has been hacked and i am still struggling to fix it. Please can you post a link that clearly outlines where to find the relevant post being referred to.


    • Magnus
      August 30, 2011 at 12:00 pm #


      In the post above, we have a link to our support forum where you can post for more help on the issue.

  62. Justin Bowers
    September 1, 2011 at 1:49 am #

    Hi Magnus,

    I’ve been thoroughly going through my sites and updating the Woo Framework and TimThumb. I’ve ran into an issue though with the Crisp theme. There’s no option to update the framework. I only have Theme Options, SEO, and Sidebar Manager under the Crisp side panel.

    If I download the latest version of Crisp and copy over my theme (BLOODY HELL, I JUST REALIZED THAT I DIDN’T MAKE A CHILD THEME…MY BAD), will that correct the issue or give me the option to update the framework then?


    • Magnus
      September 1, 2011 at 9:06 am #


      Check in “Framework Settings” if you can enable the feature. If not, simply download latest theme and replace the themes “functions” folder completely, as that is where the framework resides.

  63. Leslie Nicole
    September 5, 2011 at 5:27 pm #

    Just thought I’d chime in and say how important following these updates are. I have an older hobby blog that I haven’t had time to keep updated – saw your newsletter and it was “on my list to do”. In the meantime, shortly afterwards my site got hacked and my service provider suspended my account. Took me $200 to get my files cleaned up and several days of updating all of my themes / wordpress. So, word to the wise. Do it as it comes up!

  64. Blain
    September 7, 2011 at 4:32 pm #

    So one of my client’s websites was hacked pretty badly. I deleted the whole overeasy woo theme folder and re-installed a fresh copy, fresh thumbs, etc. to get rid of all the crap. That worked but my main issue remains that .htaccess, even when I remove the spam content and re-upload it, gets overwritten every day with a spam version. Thus, I think there is a backdoor file still intact somewhere but I can’t find it? I re-installed WordPress, updated admin password, updated ftp password (found spam htaccess files in all my other sites hosted with GoDaddy), and am now searching the remaining files for this backdoor plug. My question is what should I be looking for? a php file?

    The good news is that the several dozen virus files created originally in the theme’s folder have not returned, nor have the spam .htaccess files in my other sites hosted under the same registrar. It is JUST this one .htaccess file on the originally hacked site. Please advise.

  65. Dan
    September 7, 2011 at 7:35 pm #

    @Blain, give the “virus scanner” plugin a try. It does a good job of looking for malware and bad code inserts.


  1. TimThumb Zero Day Vulnerability Affects Hundreds of WordPress Themes
  2. TimThumb security vulnerability discovered, affects many WordPress themes | WPCandy
  3. TimThumb Zero Day Vulnerability Affects Hundreds of WordPress Themes | Pros Global TV
  4. #hottoppix for August 4, 2011 | e1evation, llc
  5. TimThumb security vulnerability discovered: Affects many WordPress themes | TechBlog Central
  6. TimThumb Security Vulnerability Affects Many WordPress Themes and Plugins | Just Ask Kim
  7. How to fix Timthumb security issue?
  8. Timthumb (thumb.php) Security Flaw | AppThemes Forum
  9. Update your timthumb.php! Otherwise, you'll get hacked! | AppThemes Forum
  10. New Vulnerability in many WordPress themes | TerraNetwork
  11. Woo Themes Security Update | Internet Marketing Nirvana
  12. Как ми развалиха Аквичоп.. | Аквичоп
  13. Websites Hacked - TimThumb Vulnerability Uncovered in WordPress | WEBphysiology
  14. WordPress Theme Developers Respond to TimThumb Security Flaw | WordPress Tutor
  15. Security Update Needed on Woothemes | Uniquehorn Designs
  16. My site got hacked. And it was kinda fun. | LittleKendra.com
  17. Wordpress sikkerhedshul – UnoEuro Weblog
  18. Help – P0rn Links on my website & now timthumb .bahhh | Where sheldon the singh lives
  19. Hackers are the Asses of Evil - Blogging4Jobs HR, Recruiter, Social Media, Job Search Blogging4Jobs
  20. Why not updating your Core, Themes & Plugins is Stupid - Yoast
  21. True Fan Boost 2011 | Postcard Valet
  22. A Midgett Blog » Blog Archive » True Fan Boost 2011
  23. I found out the hard way – how to avoid a costly Wordpress hack | Build a better consultant business
  24. A Lesson Learnt in Communication | themek
  25. Website Hacked – The Daily Snoop
  26. A Lesson Learnt in Communication | Allnewsyouneed.com
  27. Problema de segurança no WordPress manipula title e metadesc | Christiano Anderson
  28. Interview on the TimThumb for WordPress security issueLightSpeed
  29. Woo Themes “Tim Thumb Hack” - The Midphase Blog