Security Update for Modularity, Photo Workshop, Widescreen WordPress Themes


This just in from VaultPress, the makers of WordPress.com:

Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins, including a few of our older themes. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.

The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.

Affected Themes

Three of our themes (Modularity, Photo Workshop, Widescreen) used this script as a fallback approach for generating thumbnails if a user didn’t set a Featured Image in WordPress.  This script helped users who hosted images elsewhere (PhotoShelter, Flickr, etc) to have thumbnails generated for their posts without uploading images into WordPress or setting a Featured Image for each post.  Because we have removed this script from our themes, users will need to always upload and set a Featured Image in WordPress if you want thumbnails for your Posts or homepage apps.

The Fix

If you are using version 2.9.5 or earlier of Modularity or any of its child themes (High Def, F8, Modfolio, Modslider, Workspace, On Assignment, Workaholic Pro et al) you have three options:

  1. Delete the timthump.php file, the cache and temp folders from your Modularity theme folder in WordPress located at /wp-content/themes/modularity/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
  2. Upgrade to Version 3.o of Modularity and it’s child themes.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Modularity and it’s child themes from your member dashboard.
  3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

If you are using version 1.1.1 or earlier of Photo Workshop you have three options:

  1. Delete the timthump.php file, the cache and temp folders from your Photo Workshop theme folder in WordPress located at /wp-content/themes/photo-workshop/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
  2. Upgrade to Version 1.1.2 of Photo Workshop.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Photo Workshop from your member dashboard.
  3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

If you are using version 1.5.1 or earlier of Widescreen you have three options:

  1. Delete the timthump.php file, the cache and temp folders from your Widescreen theme folder in WordPress located at /wp-content/themes/widescreen/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
  2. Upgrade to Version 1.5.2 of Widescreen.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Widescreen from your member dashboard.
  3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

We have updated all of these themes to remedy the issue and we strongly suggest that you update your installations as soon as possible with one of the three fixes above.

This entry was posted in Announcements, Blog. Bookmark the permalink.

Posted by , at Graph Paper Press

Thad is a photographer, designer and developer who embraces the evolution of storytelling on the web. He lives in Brooklyn, NY with his wife Abby.

  • Google
  • Blog
  • Instagram

  • Pingback: Security Update for Modularity, Photo Workshop, Widescreen WordPress Themes | themek

  • Pingback: TimThumb security vulnerability discovered, affects many WordPress themes | WPCandy

  • http://0 台前论坛

    [台前论坛www.tqlt.net]支持博主。
    台前论坛是河南台前第一大综合社区,包括音乐,影视,游戏,生活等,欢迎各方朋友加入。5dt5zp

  • http://0 台前论坛

    [台前论坛www.tqlt.net]支持博主。
    台前论坛是河南台前第一大综合社区,包括音乐,影视,游戏,生活等,欢迎各方朋友加入。oi8gw8

  • http://0 彩虹堂小游戏

    [600小游戏www.600yx.com]为您提供精彩的奥特曼小游戏, 彩虹堂小游戏,芭比娃娃小游戏以及好玩的单机游戏,祖玛,泡泡龙小游戏,公主小游戏,迷你小游戏,单人小游戏,经营类小游戏!
    [特卖www.wbgod.com/sitemap.php]

  • Pingback: TimThumb security vulnerability discovered: Affects many WordPress themes | TechBlog Central

  • Tikemyson

    has F8-lite and Modularity-lite the some issue? can’t find timthump.php there.

    • http://graphpaperpress.com Graph Paper Press

      Nope. Just the three themes listed above.

  • http://edwardbacon.com/blog/ Ed Bacon

    I updated to Modularity v 3.0.1 and seem to have lost the ability to set the Navigation options

    • http://graphpaperpress.com Graph Paper Press

      WordPress 3.0 introduced a new feature that made our old Navigation Theme Option panel pointless. You now set your Navigation Menus using the Appearance -> Menu tab in WordPress. Here is a video tutorial:

      http://vimeo.com/16432328

      • http://edwardbacon.com/blog/ Ed Bacon

        The Navigation option page used to have a check box to use 3.0 Menus.
        Questions:
        1. How does one now enable 3.0 Menus for Modularity w/o the option page?
        2. How does integration with Photoshelter  themes work, or does it?

        • http://edwardbacon.com/blog/ Ed Bacon

          The slide show does not auto start on the home page (lost that check box too)

        • http://twitter.com/thadallender Thad Allender

          1.  Just visit your Appearance -> Menus page and use the drag/drop interface to choose your categories.  Then, make sure you set a specific Menu to show in the preferred Menu Location (top left of Menu page)
          2.  Create a Custom Menu item called something like “Photo Archive”, then create all of your desired PhotoShelter menu links as Custom Links and drag them under the “Photo Archive” menu link you already created.

        • http://twitter.com/thadallender Thad Allender

          If your slideshow isn’t working, try downloading a fresh copy from your member dashboard:

          http://graphpaperpress.com/members/member.php

  • http://goo.gl/aEyXC 团宝网{$随机}

    团宝网http://www.lolibao.com/sitemap.php?mc66yo团宝网-全球领先的团购网站,高品质低折扣,独创“随时退”服务!团宝网现已开通全国368座城市,为您精选美食、美发、KTV、影院、SPA等精品商家,每天推出多款精品团购!
    支持楼主博文!写的不错,回帖是必须的……

  • http://goo.gl/Z2oOD 无纸更环保

    【本站www.shuomingshu.net/?ka8gw8】现收录各型号产品说明书6407篇,147个分类目录因站内说明书数量较多,您可通过站内搜索以便下载;如果本站所提供的说明书链接无效,无法正常下载,请您提交相关信息,本站将尽力解决;【小游戏www.600yx.com】

  • http://goo.gl/qUrQd 8k7k小游戏

    【8K7K小游戏www.8k7k.cn/?】8k7k是中国最好的小游戏网站,提供各种休闲类在线小游戏,动作类在线小游戏,益智类在线小游戏,敏捷类在线小游戏,换装类在线小游戏,双人在线小游戏,每天更新小游戏,把8k7k小游戏告诉你的朋友,就是在默默支持我们,和朋友们一起分享吧,小游戏就是8k7k,送给你最愉快游戏时光

  • http://goo.gl/dVVZ3 人头马价格7b

    【http://www.renvsop.com/?】酒圈儿品牌店提供世界最好的干邑白兰地,人头马顶尖葡萄酒,酒质品尝深厚有力,入口醇和浓郁富有弹性,余味悠长三分钟,优惠人头马vsop价格,一流白兰地,淘宝商城品质保证7b

  • http://goo.gl/NWm0C 杭州学车

    杭州驾校网致力于为杭州学车的网友提供最新最全的杭州学车信息,包括杭州学车价格、杭州驾校团报、杭州驾校排名及杭州驾校地址等。杭州驾校网推荐的驾校有杭州万丰驾校、杭州黄龙驾校、杭州心成驾校。想知道杭州哪个驾校好?快来杭州驾校网看看吧

  • http://goo.gl/xjHtg 灰指甲治疗{$随机}

    【hzj.lolibao.com/update.html?0uk0qg】0uk0qg细节见真知合理的网站结构优化是正确表达网站的基本内容及其内容之间的层次关系,使得用户在网站中浏览时可以方便地获取信息.

  • PhotoPaper Types

    After the update I installed I can’t get to the Navigational Options as well?

    • http://twitter.com/thadallender Thad Allender

      WordPress 3.0 introduced a new feature that made our old Navigation Theme Option panel pointless. You now set your Navigation Menus using the Appearance -> Menu tab in WordPress. Here is a video tutorial:http://vimeo.com/16432328

  • http://goo.gl/GxxYu 刷票网

    hx7dtj[刷票公司www.wzspgs.com]我们帮您制作自动投票软件,可完全模拟手工操作快速投票,无需在电脑前看管,有验证码以及需注册账号的投票都可以做出自动投票机,可多台电脑同时使用,安全便捷,自由控制票数。
    优势:成本较低,使用简单
    需求:有IP限制的投票需要在ADSL上使用刷票软件,无IP限制的投票可以在任何联网的电脑上使用

  • http://goo.gl/IkoyJ a263c4b24蜀南竹海

    a263c4b24[蜀南竹海www.shuifu8.com锦绣山庄农家乐]
    提供蜀南竹海旅游咨询,导游服务,折扣门票,旅游包车以及吃、住、玩一条龙服务。
    周围竹林成片,环境幽静、舒雅,客房宽敞明亮,采用名牌高档洁具,网络通讯、数字电视等一流的配 套设施;给客人一种舒适、温馨的回归自然感觉,同时享受现代高质量的生活。其它有垂钓,自助烧烤等 http://www.zhh222.com/?z7ic6a.真情回馈

  • http://twitter.com/ZezzyZ Zezzyy

    these updates are tricky, and figuring out which plug ins work with what is a pain!

  • http://goo.gl/9fQ9J 蜀南竹海

    [蜀南竹海 锦绣山庄农家乐www.zhh222.com/?u4aq4w]
    提供蜀南竹海旅游咨询,导游服务,折扣门票,旅游包车
    以及吃、住、玩一条龙服务。

    周围竹林成片,环境幽静、舒雅,客房宽敞明亮,采用名牌高档洁具,网络通讯、数字电视等一流的配 套设施;给客人一种舒适、温馨的回归自然感觉,同时享受现代高质量的生活。其它有垂钓,自助烧烤等 .真情回馈www.shuifu8.com/?辛卯年(兔)七月廿十 2011-8-19

  • http://goo.gl/nBlPP 时时彩平台

    [时时彩评测网www.cjm2.com/?55l5rh]通过网友评论来揭露骗人的时时彩平台,为网友提供时时彩论坛以及时时彩评测,避免上当被骗,使网友知道哪家的时时彩平台信用,哪个骗子时时彩平台,为您导航

  • Pingback: Modularity 3.0.3 Released | Graph Paper Press

  • Pingback: F8 Remixed 3.0.1 Released | Graph Paper Press

  • Pingback: High Def 3.0.1 Released | Graph Paper Press

  • Pingback: Modularity 3.0.3 Released | themek

  • Pingback: F8 Remixed 3.0.1 Released | themek

  • Pingback: On Assignment 3.0.1 Released | Graph Paper Press

  • Pingback: Workaholic Pro 3.0.1 Released | Graph Paper Press

  • Pingback: On Assignment 3.0.1 Released | themek

  • http://twitter.com/GannonVisuals Christopher Gannon

    If I don’t update to Modularity 3.0, and use fix #1 above, is my site at
    a security risk?  I am no longer a GPP member, so I can’t update
    Modularity, right?

  • Sarah

    great post thad

    one technicality thou, have you got an ‘o’ instead of a ‘0’ here?
    “Upgrade to Version 3.o of Modularity”

    sarah

  • Pingback: Interview on the TimThumb for WordPress security issueLightSpeed

  • Sachlenesingh

    Hi Thad,

    I just started using the Modularity theme on my wordpress.com blog. I am very impressed with the slide show of images, as the header image feature. Couple of questions about that
     – Can I dis-include a  post or an image from the slideshow?
     – I see the Featured Image tool, but I’m not sure how to select the featured Image for a post. I understand that by default it is the first image in the post. Can I change that on a per post basis?

    Thanks in advance,
    -Leena

  • http://www.facebook.com/lachlan.mcwilliam Lachlan McWilliam

    Unfortunately we were not aware of this and we just lost our entire site. 2+ years of work down the tubes. Somehow the hacker was able to delete our themes and uploads folder. Unfortunately our backup was infected too. http://thevagabondadventures.com

  • Pingback: TimThumb security vulnerability discovered, affects many WordPress themes | News|Philippine Web Hosting

  • Sanjosebikeblog

    using securi.net services now after a bad malware attack on our server, I have a site I worked on for 2 years as well, its almost back up, just need to update the theme, I HIGHLY suggest them if your site is down -

    • Sanjosebikeblog

      sorry its sucuri.net, I keep misspelling it!