Remote Code Execution in TimThumb Plugin for WordPress
CVE-2011-4106

Currently unrated

Key Information:

Vendor

WordPress
Status
Timthumb
Vendor
CVE Published:
26 October 2013

What is CVE-2011-4106?

The TimThumb script (timthumb.php) prior to version 2.0 fails to adequately validate sources against a defined whitelist. This oversight allows attackers to exploit the vulnerability by uploading and executing arbitrary code. This can occur by leveraging a URL that matches the whitelist criteria within the 'src' parameter, followed by a direct file access to the cached version. This security flaw was notably exploited in the wild starting August 2011, making it essential for WordPress users to update their TimThumb installations to mitigate potential risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

http://www.exploit-db.com/exploits/17872
exploitx_refsource_EXPLOIT-DB
http://www.binarymoon.co.uk/2011/08/timthumb-2/
x_refsource_CONFIRM
http://markmaunder.com/2011/08/02/technical-details-and-s...
x_refsource_MISC

EPSS Score

26% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability Reserved

  • Vulnerability published

JSON
.