TimThumb.php – Security Vulnerability

We have been following the updates on the security vulnerability of TimThumb – an image resizing script used by many themes. To ensure all of our client sites are protected, we highly recommend doing one of the following:

Method 1: Update Theme

Download the latest version of the theme using the same download link sent to you upon purchase. All of our latest themes have a secure version of the script.

Method 2: Replace timthumb script via FTP

Delete your current timthumb.php file and replace it with the latest version of timthumb in your theme folder via FTP. Upon doing so, we also recommend this additional change:

Edit the $allowedsites variable and remove all sites referenced – it should look like this after the edit:

// external domains that are allowed to be displayed on your website
$allowedSites = array();

Method 3: Update timthumb via WP Editor

Follow these steps to update your existing timthumb file:

  • Login to your WP site. Go to Appearance => Editor.
  • Open timthumb.php and delete all of its contents.
  • Copy/Paste the contents of the latest version of timthumb. Perform the additional recommendation shown above in method 2.
  • Click Update File (save).

If you have any questions, please let us know on the support forums and we’ll get you sorted.

9 Responses to "TimThumb.php – Security Vulnerability"

  1. Richard M.   August 5, 2011 at 10:04 PM

    Thank you for alerting us to the threat and solution.

    At your recommendation, I downloaded the most current versions of the themes I use. And, will update the servers with the newest version.

    Thanks again.

    Reply
  2. Sven   August 9, 2011 at 6:36 PM

    where to find the "$allowedsites" variable ?

    Reply
    • Mehmet Ozek   August 9, 2011 at 8:06 PM

      Sven, Open timthumb.php with a text editor -> click on CTRL + F and look for

      $ALLOWED_SITES = array (

      Reply
  3. Roman   November 27, 2011 at 9:20 AM

    Is it possible to replace/ not using it/ timthumb ?
    I had problems whit timthumb before ….

    Reply
    • Mehmet Ozek   November 27, 2011 at 4:42 PM

      Yes, our themes have default WordPress thumbnails support option is built in. All you need to do is to click on Disable TimThumb check box within theme control panel.

      Reply
  4. Luis de Rock Perú   December 3, 2011 at 8:22 PM

    I updated to 2.8.3 version of timthumb.php and I find this string:

    $ALLOWED_SITES = array (
    ‘flickr.com’,
    ‘picasa.com’,
    ‘img.youtube.com’,
    ‘upload.wikimedia.org’,
    ‘photobucket.com’,
    ‘imgur.com’,
    ‘imageshack.us’,
    ‘tinypic.com’,
    );

    Must I delete all of those referenced sites??? Thanks…

    Reply
    • Mehmet Ozek   December 4, 2011 at 9:35 PM

      2.8.3 is secure version of timthumb. You don’t have to edit that file.

      Reply
  5. Chetan   December 4, 2011 at 9:35 PM

    thanks it has helped me a lot…

    Reply
  6. CIPPO Design   December 5, 2011 at 10:49 PM

    Yes, that did it! I have almost 2 hours since I am trying to look for a solution for this timthumb issue!

    Thank you!

    Reply

Leave a Reply

Your email address will not be published.