WordPress Sites At Risk Through Image Plugin
WordPress sites using the TimThumb plugin have been identified as being at risk to attack according to a report by The Register.
The report is warning anyone with a self hosted WordPress site to be aware that there is a vulnerability with the TimThumb plugin that users should be aware of and take action to protect their sites and blogs.
The TimThumb plugin is a very popular one with WordPress users because it allows people to be able to resize their images quickly and easily, however it has been found that the 2.8.13 latest version of TimThumb on WordPress has a zero-day vulnerability that allows hostile code to potentially be injected into the site.
According to the report by The Register researchers from infosec haus Sucuri have warned that attackers are able to “create, remove and modify any files” on vulnerable systems.
Because of this problem anyone using the TimThumb plugin on WordPress is being warned to disable the Webshot function as this is where the problem lies and until a solution is found to solve it permanently then disabling the feature will work to keep sites safe.
However most WordPress users with the TimThumb plugin should have received notice about the problem as the problem was revealed through a full disclosure mailing list and developers have worked fast to put together a new version of Tim Thumb – 2.8.14 – which has sorted out the problem for users.
While the problem has essentially been solved this is not the first time that TimThumb has been at the centre of attacks and it is known for being a target thanks to it being installed on so many WordPress sites.
WordPress runs around 20 percent of all of the sites on the internet so any weak plugins or features are often the target for hackers looking to effect a large number of sites in one go. In the past weak plugins have been used to run DNS attacks or have been used for other malicious intentions.
If you are concerned about the security of your WordPress site then always be sure to take advantage of any updates that you are sent from WordPress or from plugins and features that you use on the site.