Description

The TimThumb script is exploitable only if the WebShot feature is enabled. By default, WebShot is disabled.

TimThumb is a small php script for cropping, zooming and resizing web images (jpg, png, gif). Many WordPress themes and plugins distribute this script. A remote code execution vulnerability was reported in the WebShot feature of this script. This vulnerability was reported in v2.8.13 but previous versions are also vulnerable.

Remediation

Upgrade to the latest version of timthumb or disable the WebShot feature (if enabled).

References

Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)

Related Vulnerabilities

WordPress Plugin BJ Lazy Load Remote Code Execution (0.7.5)

RCE in Ivanti Connect Secure and Policy Secure (CVE-2024-21887)

Liferay TunnelServlet Deserialization Remote Code Execution

Apache Log4j2 JNDI Remote Code Execution

Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface

Severity

High

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution