Skip to Main Content

WordPress: Disable WebShot in TimThumb

Posted on 6.29.2014

WordPress users running the TimThumb plugin, an image resizer, are vulnerable to exploits that allow attackers to execute malicious code warned security firm Sucuri. 

The vulnerability affects WordPress sites that have TimThumb installed with the webshot option enabled. While the option is disabled by default, there is currently no patch for the remote-code execution hole. 

WordPress users can check if their site is vulnerable by opening the TimThumb file in edit mode and searching for the text string "WEBSHOT_ENABLED" is set to true. If so, simply change it to false - and do it now! 

When the option is set to true, attackers can create or delete files, executing a variety of commands. 

Today's Top Picks for Our Readers:
Recommended by Recommended by NetLine

Leave Your Comment

Login to Comment

Become a Member

Not already a part of our community?
Sign up to participate in the discussion. It's free and quick.

Sign Up


Leave a comment
    Load more comments
    New code