TimThumb vulnerability and how to protect your website

Written by Matty Cohen on June 26, 2014 Blog, News, Product News.

tl;dr – Be sure you’re running the latest version of the WooFramework. If you are, your website is safe from this exploit. For added security, add define ('WEBSHOT_ENABLED', false); to your wp-config.php file.

A security vulnerability within the TimThumb image resizing script was recently brought to light. This vulnerability uses the webshots feature (in beta) in TimThumb to gain unauthorised access to a website running TimThumb.

TimThumb, bundled into our WooFramework, is a script we keep a close eye on, to ensure it is safe and secure for you, our customers. While we are working through steps to remove TimThumb from our framework, the script is currently present in the WooFramework.

How to stay safe

By default, the webshots feature is disabled. This means that, unless you specifically enabled the feature on your website (via code), your website is not vulnerable to this exploit.

As your website’s safety and security is of paramount importance to us, we’d like to provide a few extra tips for further safeguarding your website against this particular exploit.

Please ensure that, in your wp-config.php file, you have the following line:

define ('WEBSHOT_ENABLED', false);

This ensures that the webshots feature in TimThumb is disabled.

Please note that this is a safeguard and not required in order for your website to function.

Stay safe, everyone.


11 Responses

  1. douglsmith
    June 26, 2014 at 5:22 pm #

    Note that if you copy the code above it will contain curly single quote, which will not work. The quotes around WEBSHOT_ENABLED need to be changed to regular single quotes.

    • Matty Cohen
      June 26, 2014 at 6:34 pm #

      Thanks for pointing that out. I’ve updated the code inside the blog post to remedy this. 🙂

  2. Jason Pelker
    June 26, 2014 at 6:26 pm #

    I can’t believe you’re still using TimThumb.


    You’re putting your customers in danger for such an unimportant feature—one fairly well replaceable by built-in WordPress functions: http://wpengine.com/2011/06/13/how-to-avoid-the-timthumb-script/

    • Matty Cohen
      June 27, 2014 at 9:21 am #

      Hi Jason,

      I’ve made a note in the blog post that we’re looking to remove it from our Framework.

      We’re hoping to have this removed in the next big code sprint following WooFramework 6.0. 🙂

  3. Jesse
    June 27, 2014 at 6:12 pm #

    Are you guys still making themes?? last release was in February???

    • Jesse
      June 27, 2014 at 6:13 pm #

      ok, I see one was released in April as well… so yeah…

    • Ryan
      June 27, 2014 at 6:25 pm #

      We are, just on a slower pace. We’re no longer committing to doing one new theme a month. Instead taking our time on new themes, and as you’ve seen, completely redone an existing theme. Spectrum was completely redone to bring it up to par with what a modern theme should be. 🙂

      Our goal is to have a smaller theme catalogue but all those themes in there should be robust, modern, and as flexible as possible.

      • Jesse
        June 27, 2014 at 6:46 pm #

        When I signed up you sold me 3 themes per month… gradually that has been whittled down first to two, but Magnus told me it would usually be 3, then to two for sure.. then down to one but I was assured that was the last cut… now you are basically telling us that “hey, you pay your monthly subscription (yes, I realize you gave us a free year) every month on top of the big chunk that you paid when you initially purchased your developer club membership.. but were not going to commit to providing you anything for that monthly fee… so, just keep paying that and we will give you whatever we feel like… What have I been paying for every month for over 5 YEARS?? Eventually my cost/value points will intersect and switch to a point where I would have been better off just buying each theme individually as I needed them instead of paying for my membership.. but guess what, at that point I can’t change that because if I stop paying my monthly fee I lose access.. so I am essentially stuck paying every month just so I don’t throw every $ I have given you guys away completely. You can’t make a commitment then un-make it.. that isn’t how that works… would you guys benefit from a description of the word commitment??

        com·mit·ment [kuh-mit-muhnt]
        1. the act of committing.
        2. the state of being committed.
        3. the act of committing, pledging, or engaging oneself.
        4. a pledge or promise; obligation: We have made a commitment to pay our bills on time.
        5. engagement; involvement: They have a sincere commitment to religion.

        Bottom line, either you don’t care or you think we don’t care… which is it?

  4. arisprast
    June 30, 2014 at 12:54 pm #

    I just learned about the web. and I am very happy to read this article. very useful so that our website is always secure. thank you


  5. Jesse
    July 3, 2014 at 12:08 am #

    So, my last comment is not going to get a reply and you will just leave spam links on your site?? I guess I should sign up for a few affiliate programs and just start littering crap links all over your posts then….

  6. remedios caseros para medicina para la retencion de orina
    July 14, 2014 at 4:03 pm #

    Hola! he acabado de leer tu entrada y me apetece agradecerte que hayas dedicado tu tiempo en escribir toda esta informaciĂłn tan jugosa para las que estamos perdiendo peso. Muchas gracias por tu blog!! Y un saludo!!