
Security Update for Modularity, Photo Workshop, Widescreen WordPress Themes

This just in from VaultPress, the makers of WordPress.com:

Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins, including a few of our older themes. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.

The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.

Affected Themes

Three of our themes (Modularity, Photo Workshop, Widescreen) used this script as a fallback approach for generating thumbnails if a user didn’t set a Featured Image in WordPress.  This script helped users who hosted images elsewhere (PhotoShelter, Flickr, etc) to have thumbnails generated for their posts without uploading images into WordPress or setting a Featured Image for each post.  Because we have removed this script from our themes, users will need to always upload and set a Featured Image in WordPress if you want thumbnails for your Posts or homepage apps.

The Fix

If you are using version 2.9.5 or earlier of Modularity or any of its child themes (High Def, F8, Modfolio, Modslider, Workspace, On Assignment, Workaholic Pro et al) you have three options:

  1. Delete the timthump.php file, the cache and temp folders from your Modularity theme folder in WordPress located at /wp-content/themes/modularity/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
  2. Upgrade to Version 3.o of Modularity and it’s child themes.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Modularity and it’s child themes from your member dashboard.
  3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

If you are using version 1.1.1 or earlier of Photo Workshop you have three options:

  1. Delete the timthump.php file, the cache and temp folders from your Photo Workshop theme folder in WordPress located at /wp-content/themes/photo-workshop/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
  2. Upgrade to Version 1.1.2 of Photo Workshop.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Photo Workshop from your member dashboard.
  3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

If you are using version 1.5.1 or earlier of Widescreen you have three options:

  1. Delete the timthump.php file, the cache and temp folders from your Widescreen theme folder in WordPress located at /wp-content/themes/widescreen/includes/.  Only users who didn’t upload or set a Featured Image in WordPress might have relied on this file to generate thumbnail images for Posts.  If you use a third party image hosting service, like PhotoShelter, and have used their PhotoShelter Official Plugin for adding images into your WordPress site, you will need to upload and set a Featured Image for all Posts that are missing thumbnails.  Here is a video tutorial on how to assign Featured Images in WordPress.
  2. Upgrade to Version 1.5.2 of Widescreen.  We have removed the file that has the security hole from all of our themes (it was only added to make it easy for users to create thumbnails for posts who didn’t know about WordPress’ Featured Image tool).  You can download the latest versions of Widescreen from your member dashboard.
  3. Upgrade timthumb.php file in your theme folder and delete all the content inside your cache and temp folders.  The author of the script released a security update today that fixes the exploit.  You can download the updated script here.  This option is NOT RECOMMENDED.

We have updated all of these themes to remedy the issue and we strongly suggest that you update your installations as soon as possible with one of the three fixes above.

31 responses to “Security Update for Modularity, Photo Workshop, Widescreen WordPress Themes”

  1. 台前论坛 Avatar


  2. 台前论坛 Avatar


  3. 彩虹堂小游戏 Avatar

    [600小游戏www.600yx.com]为您提供精彩的奥特曼小游戏, 彩虹堂小游戏,芭比娃娃小游戏以及好玩的单机游戏,祖玛,泡泡龙小游戏,公主小游戏,迷你小游戏,单人小游戏,经营类小游戏!

  4. Tikemyson Avatar

    has F8-lite and Modularity-lite the some issue? can’t find timthump.php there.

    1. Graph Paper Press Avatar

      Nope. Just the three themes listed above.

  5. Ed Bacon Avatar

    I updated to Modularity v 3.0.1 and seem to have lost the ability to set the Navigation options

    1. Graph Paper Press Avatar

      WordPress 3.0 introduced a new feature that made our old Navigation Theme Option panel pointless. You now set your Navigation Menus using the Appearance -> Menu tab in WordPress. Here is a video tutorial:


      1. Ed Bacon Avatar

        The Navigation option page used to have a check box to use 3.0 Menus.
        1. How does one now enable 3.0 Menus for Modularity w/o the option page?
        2. How does integration with Photoshelter  themes work, or does it?

        1. Ed Bacon Avatar

          The slide show does not auto start on the home page (lost that check box too)

        2. Thad Allender Avatar

          1.  Just visit your Appearance -> Menus page and use the drag/drop interface to choose your categories.  Then, make sure you set a specific Menu to show in the preferred Menu Location (top left of Menu page)
          2.  Create a Custom Menu item called something like “Photo Archive”, then create all of your desired PhotoShelter menu links as Custom Links and drag them under the “Photo Archive” menu link you already created.

        3. Thad Allender Avatar

          If your slideshow isn’t working, try downloading a fresh copy from your member dashboard:


  6. 团宝网{$随机} Avatar


  7. 无纸更环保 Avatar


  8. 8k7k小游戏 Avatar


  9. 人头马价格7b Avatar


  10. 杭州学车 Avatar


  11. 灰指甲治疗{$随机} Avatar


  12. PhotoPaper Types Avatar
    PhotoPaper Types

    After the update I installed I can’t get to the Navigational Options as well?

    1. Thad Allender Avatar

      WordPress 3.0 introduced a new feature that made our old Navigation Theme Option panel pointless. You now set your Navigation Menus using the Appearance -> Menu tab in WordPress. Here is a video tutorial:http://vimeo.com/16432328

  13. 刷票网 Avatar


  14. a263c4b24蜀南竹海 Avatar

    周围竹林成片,环境幽静、舒雅,客房宽敞明亮,采用名牌高档洁具,网络通讯、数字电视等一流的配 套设施;给客人一种舒适、温馨的回归自然感觉,同时享受现代高质量的生活。其它有垂钓,自助烧烤等 http://www.zhh222.com/?z7ic6a.真情回馈

  15. Zezzyy Avatar

    these updates are tricky, and figuring out which plug ins work with what is a pain!

  16. 蜀南竹海 Avatar

    [蜀南竹海 锦绣山庄农家乐www.zhh222.com/?u4aq4w]

    周围竹林成片,环境幽静、舒雅,客房宽敞明亮,采用名牌高档洁具,网络通讯、数字电视等一流的配 套设施;给客人一种舒适、温馨的回归自然感觉,同时享受现代高质量的生活。其它有垂钓,自助烧烤等 .真情回馈www.shuifu8.com/?辛卯年(兔)七月廿十 2011-8-19

  17. 时时彩平台 Avatar


  18. Christopher Gannon Avatar

    If I don’t update to Modularity 3.0, and use fix #1 above, is my site at
    a security risk?  I am no longer a GPP member, so I can’t update
    Modularity, right?

    1. Graph Paper Press Avatar

      If you don’t upgrade, your site could still be at risk.

      1. Delete or update the timthumb.php file: http://code.google.com/p/timthumb/
      2. Scan your site for the hack: http://sitecheck.sucuri.net/
      3. Double check for these symptoms and remove them: http://wordpress.org/support/topic/malware-counter-wordpresscom-warning-on-chrome
      Feel free to contact us if you’d like help with the above: https://graphpaperpress.com/contact/

  19. Sarah Avatar

    great post thad

    one technicality thou, have you got an ‘o’ instead of a ‘0’ here?
    “Upgrade to Version 3.o of Modularity”


  20. Sachlenesingh Avatar

    Hi Thad,

    I just started using the Modularity theme on my wordpress.com blog. I am very impressed with the slide show of images, as the header image feature. Couple of questions about that
     – Can I dis-include a  post or an image from the slideshow?
     – I see the Featured Image tool, but I’m not sure how to select the featured Image for a post. I understand that by default it is the first image in the post. Can I change that on a per post basis?

    Thanks in advance,

  21. Lachlan McWilliam Avatar

    Unfortunately we were not aware of this and we just lost our entire site. 2+ years of work down the tubes. Somehow the hacker was able to delete our themes and uploads folder. Unfortunately our backup was infected too. http://thevagabondadventures.com

  22. Sanjosebikeblog Avatar

    using securi.net services now after a bad malware attack on our server, I have a site I worked on for 2 years as well, its almost back up, just need to update the theme, I HIGHLY suggest them if your site is down –

    1. Sanjosebikeblog Avatar

      sorry its sucuri.net, I keep misspelling it!

Leave a Reply

Your email address will not be published. Required fields are marked *