Wordpress users running the TimThumb plugin, an image resizer, are vulnerable to exploits that allow attackers to execute malicious code warned security firm Sucuri.
The vulnerability affects WordPress sites that have TimThumb installed with the webshot option enabled. While the option is disabled by default, there is currently no patch for the remote-code execution hole.
Wordpress users can check if their site is vulnerable by opening the TimThumb file in edit mode and searching for the text string "WEBSHOT_ENABLED" is set to true. If so, simply change it to false - and do it now!
When the option is set to true, attackers can create or delete files, executing a variety of commands.