Hackers are actively exploiting a zero-day vulnerability that may be affecting millions of WordPress users. The bug was found in an image re-sizing utility that comes built-in to a number of commercial and free themes on the popular blogging platform.
The vulnerability, discovered by Feedjit founder Mark Maunder, is located in an image re-sizing utility called timthumb.php. Maunder contacted the developer of timthumb.php, whose own blog was also hacked using the same method. According to Maunder’s blog post on the matter, Maunder has supplied what he is calling a “tiny patch,” and timtumb.php’s developer is working on a more comprehensive fix.
According to Maunder, timthumb.php is insecure by design, with re-sized files written into a directory that is accessible by people visiting the site. That’s a process that Maunder says is “never a good idea.”
It is recommended that users of WordPress using any theme bundled with timthumb.php, of which there are many, should immediately either disable those themes or set the “$allowedSites array” to empty. Maunder estimates that the bug may be affecting as many as 39 million blogs.
Maunder claims he discovered the bug when he loaded a page on his own blog and heard that all-too-familiar voice telling him, “Congratulations! You’re a winner!”
As the blogging platform has grown in popularity, so too has its value as a viable target for cybercriminals. Back in April, Servers belonging to Automattic, which makes WordPress’s blogging software, were hacked and the company’s source code is believed to have been exposed and copied. More recently, the WordPress security team discovered a number of back doors in some of the platform’s most popular plug-ins and required that users change their account passwords.
For a more in-depth analysis of the issue and also a way to fix the problem, read Maunder’s blog post.