Security Update for Modularity, Photo Workshop, Widescreen WordPress Themes

This just in from VaultPress, the makers of WordPress.com:

Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins, including a few of our older themes. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.

The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.

Affected Themes

Three of our themes (Modularity, Photo Workshop, Widescreen) used this script as a fallback approach for generating thumbnails if a user didn’t set a Featured Image in WordPress.  This script helped users who hosted images elsewhere (PhotoShelter, Flickr, etc) to have thumbnails generated for their posts without uploading images into WordPress or setting a Featured Image for each post.  Because we have removed this script from our themes, users will need to always upload and set a Featured Image in WordPress if you want thumbnails for your Posts or homepage apps.

The Fix

If you are using version 2.9.5 or earlier of Modularity or any of its child themes (High Def, F8, Modfolio, Modslider, Workspace, On Assignment, Workaholic Pro et al) you have three options:

1. Delete the timthump.php file, the cache and temp folders from your Modularity theme folder in WordPress located at /wp-content/themes/modularity/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
2. Upgrade to Version 3.o of Modularity and it’s child themes.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Modularity and it’s child themes from your member dashboard.
3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

If you are using version 1.1.1 or earlier of Photo Workshop you have three options:

1. Delete the timthump.php file, the cache and temp folders from your Photo Workshop theme folder in WordPress located at /wp-content/themes/photo-workshop/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
2. Upgrade to Version 1.1.2 of Photo Workshop.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Photo Workshop from your member dashboard.
3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

If you are using version 1.5.1 or earlier of Widescreen you have three options:

1. Delete the timthump.php file, the cache and temp folders from your Widescreen theme folder in WordPress located at /wp-content/themes/widescreen/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
2. Upgrade to Version 1.5.2 of Widescreen.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Widescreen from your member dashboard.
3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

We have updated all of these themes to remedy the issue and we strongly suggest that you update your installations as soon as possible with one of the three fixes above.