WordPress plugin leads to zero-day attacks

A popular script used by many WordPress themes has been found to contain a zero-day bug that has left several self-hosted blogs - including that of the script's creator - serving up advertising content for someone else.

The 'timthumb.php' script is a handy add-on for open-source blogging platform WordPress that allows images to be quickly cropped and resized. It offers flexibility above and beyond that of the tools integrated into WordPress itself, to the point that many themes for the software bundle a copy of the script to make image manipulation easier.

Sadly, the script contains a pretty serious bug: poor pattern matching on the portion of the script that deals with loading images from third-party hosting services like Flickr and Picasa allows an attacker to upload and execute arbitrary PHP code to the server.

First publicised by Mark Maunder, the flawed script - which is used on millions of sites around the world - has already been used by ne'er-do-wells to inject advertising content into third-party blogs. "Earlier today this blog was hacked," Maunder writes. "I found out because I loaded a page on my blog and my blog spoke to me. It said 'Congratulations, you’re a winner.'"

Knowing that he didn't run any advertising content on his site, Maunder tracked the problem down to encoded PHP injected into one of his files via the flaw in timthumb.php.

Thankfully, that flaw has now been resolved in the latest version of the file hosted on Google Code. Sadly, that update will take time to trickle through to theme creators, and any abandoned themes will likely never receive the security update.

For now, users are advised to search their servers for timthumb.php and replace it manually using the latest version.