A new “Zero-day” vulnerability, meaning that developers have not had time to address it [wiki], has been discovered for users of the TimThumb plugin. Here is an announcement from Securi, our recommended WordPress security plugin:
A new 0-Day vulnerability was just disclosed for TimThumb’s WebShot feature. If you’re using TimThumb and you’ve got the feature enabled, then your website is at risk to an attack. This note is not meant to imply that your website, specifically, is at risk. However, this is a large enough vulnerability that we wanted to get a note out to clients as quickly as possible to make sure those who could be impacted are aware of the problem.
If you’re using TimThumb, then for the time being, it would be best for you to remove it or disable the WebShot feature until the vulnerability is patched.
Alternatively, if you’re worried that removing TimThumb may break certain features or themes on your site, you can protect your website behind a firewall and proactively protect it from this vulnerability and others like it. If you’d like to try the CloudProxy firewall out for a month, just reply to this email and we’ll set you up with a free 30-day trial.
If you’d like to learn more about adding high-tech, cutting-edge security to your WordPress site, check out Securi.