Arstechnica: A zero-day vulnerability in the popular TimThumb plugin for WordPress leaves many websites vulnerable to exploits that allow unauthorized attackers to execute malicious code, security researchers have warned.
The vulnerability, which was disclosed Tuesday on the Full Disclosure mailing list, affects WordPress sites that have TimThumb installed with the webshot option enabled. Fortunately, it is disabled by default, and sites that are hosted on WordPress.com are also not susceptible. Still, at press time, there was no patch for the remote-code execution hole. People who are unsure if their WordPress-enabled site is vulnerable should open the timthumb file inside their theme or plugin directory, search for the text string “WEBSHOT_ENABLED,” and ensure that it’s set to false.