We have been made aware of a security vulnerability that affects users of the popular Wordpress plugin TimThumb. The vulnerability can give hackers the ability to inject PHP scripts onto your site.
Information from the plugin author on the vulnerability is available here.
Third parties are able to upload and execute PHP code within the TimThumb cache directory. This file will then allow an attacker to compromise the website further.
Any version of the plugin before TimThumb 2.0 is vulnerable.
If you are running old versions of this plugin (before version 2.0) we recommend that you either disable it or update it to a newer version.
How do I disable the plugin?
Wordpress plugins can be deactivated from the Plugins menu in the administrator control panel.
How do I update the plugin?
The latest version of the plugin can be downloaded from here.