Thursday, June 26, 2014

Zero-Day TimThumb WebShot Vulnerability leaves Thousands of Wordpress Blogs at Risk

Yesterday we learned of a critical Zero-day vulnerability in a popular image resizing library called TimThumb, which is used in thousands WordPress themes and plugins.

WordPress is a free and open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs, therefore it is easy to setup and use, that’s why tens of millions of websites across the world opt it.

But if you or your company are the one using the popular image resizing library called “TimThumb” to resize large images into usable thumbnails that you can display on your site, then you make sure to update the file with the upcoming latest version and remember to check the TimThumb site regularly for the patched update.

The critical vulnerability discovered by Pichaya Morimoto in the TimThumb Wordpress plugin version 2.8.13, resides in its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website.