Timthumb Vulnerability + Security Update

Posted on August 2, 2011 by in Theme Changes/Bug Fixes | 140 comments

Timthumb Vulnerability + Security Update

In the past, our themes have used a popular image re-sizing script called Timthumb (http://www.binarymoon.co.uk/projects/timthumb/). The script is used by countless sites and is quite popular in the WordPress themeing community. That being said, it was noted yesterday that a vulnerability exists within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212), and therefore this vulnerability may also exist in your theme (depending on when you last updated it). While the author has provided a fix, it is highly recommended that you update all of your EelgantThemes themes to their latest versions. The latest versions of our themes no longer utilize the timthumb script and therefore are not subject to this security hole.

Regardless of when you last updated your theme, I would strongly suggest that everyone update their themes to the latest version and insure that the timthumb.php file and your /cache folder have been removed. To update your theme and remove the file, simply delete your current theme via the Appearances > Themes section of the WordPress Dashboard. Then you can re-download the theme from the members area and re-upload it normally:


The latest theme versions require that your thumbnail images be hosted on the same domain name where WordPress is installed. If you were previously using timthumb.php to allow external image source by editing the file’s $allowedSites array, then these thumbnails will no longer function.

There is also the option of updating timthumb.php to the latest version if you still want to use it. You can download the latest source code for the script here. Or, you can considering editing your current timthumb.php file to remove the external source functionality that is the cause of the vulnerability. You can learn more in this post by VaultPress. However, I would recommend downloading the new version of the theme instead.

Before updating the theme, make sure that you are using the latest version of WordPress. I would also disable all of your plugins temporarily before doing any update to insure that no compatibility issues exist. Remember to always keep WordPress, your Themes and your Plugins up-to-date to help protect yourself against any vulnerabilities.

This security flaw also applies to all of your inactive themes as well. If you have any theme, even if it is inactive, that contains the timthumb.php file then you are potentially at risk. I would suggest deleting all of the themes that you are not using in addition to updating the ones that you are. This file is very common throughout all WordPress themes, not just Elegant Themes. 

Premade Layouts

Check Out These Related Posts


  1. Thanks for this detailed precious information. It is very helpful.

  2. It would be great if you could provide a clear step-by-step guide for migrating from timthumb to one of the other thumbnail options. Themes like ePhoto rely on timthumb (at least older installations) and the documentation doesn’t really address how we can switch away from timthumb easily.

    • The themes still work the same way, so you don’t need to change anything. It should be a seemly transition when upgrading to the new version of the theme.

      • How do I upgrade seemlessly? I have heavy edits to my ephoto theme. If I upgrade, I will have to do everything all over again? There must be an easier way of doing this that I am missing. Can you please help?



        • Hi have the same issue. I’ve modified so much of my theme. Came here hoping for an answer that doesn’t involve upgrading the entire theme and overwriting all my edits. Thanks!

          • Me too! I did create a child theme, but ended up having to make edits to the parent theme that include files where timthumb is called.

      • I loaded the new ElegantEstate Theme and can’t get the listings to show any listing information or the additional photos.

    • Well, sure enough my ElegantTheme with TimThumb is no longer so elegant after being hacked…and now banned by Google with the malicious vulnerability exploited.

      I made lots of cosmetic changes with the CSS and a few image files, but not any functionality.

      How can I update to secure the site without losing my cosmetic changes?

      • I am afraid that there are too many variables to consider when it comes to customization to give you a sure-way to update the theme while at the same time preserving your changes. Even if we knew what files you edited and what files have since been updated, it’s hard to say how your customizations would interact with the new files, and more than likely most of the files you have customized have since received updates and would need to be re-uploaded.

        If most of your changes were made to the .css files, on the other hand, then they can likely be preserved. Our css files don’t change much, and older versions should work fine with the new back-end updates.

        If updating the theme is not an option, then the next best thing is to update the timthumb.php file. However, I do not recommend this as the best solution. To update the file, open timthumb.php and replace it’s content with the latest build:


        • It seems like it would be a good idea to implement a way to make changes to the theme so that upgrades are seamless, similar to how the Thesis theme operates with a custom css section and a custom functions section also

  3. Hi,

    The post says:

    “The latest versions of our themes no longer utilize the timthumb script and therefore are not subject to this security hole.”

    On the Features page for the latest theme LeanBiz, it says that timthumb is used in that theme.

    Could you clear that up for me.


    • Sorry, I just need to update the features pages. The timthumb.php is not included in any of our latest theme packages.

  4. Thanks Nick, Transition was indeed smooth. Will thumbnail custom field work in the same way after this change or we should use featured image function?

    • You can use either method. Both should work fine.

      • Only for the knowledge, in DeepFocus theme, the thumbnail in the post is not resized, if used the feature “featured image” is used instead of the personalized field.

  5. Nick, If I am seeing ‘your themes are up to date’ on my wp dashboard, can I assume that this is a non issue for me? If not I need to be spoon fed on how to do this to alleviate a virtual heart attack. Thanks

    • You can check your current theme version from within the Appearances > Themes page in wp-admin. Then you can compare it to the theme versions listed in the member’s area. Each theme has a changelog dropdown that you can view. It’s unlikely that you are on the latest versions unless you just downloaded the theme.

  6. Hi Nick,

    Thanks you for detailed precious information.

  7. Hi Nick, thanks for the warning and a timely reminder that I really must get around to updating my theme.

    • If you haven’t done it yet, Chris, I’d strongly suggest it. There’s already an active exploit out there in action. I had one site compromised within days of Nick’s announcement, but was able to update, recover, and clean it out.

      This isn’t a casual “should I or shouldn’t I” update, folks. The TimThumb vulnerability is actively being used.

  8. Thanks for the email update – can you say if we have adapted the theme how do we make sure the edits are not lost? Or will they be preserved automatically?

    • I am afraid that there are too many variables to consider when it comes to customization to give you a sure-way to update the theme while at the same time preserving your changes. Even if we knew what files you edited and what files have since been updated, it’s hard to say how your customizations would interact with the new files, and more than likely most of the files you have customized have since received updates and would need to be re-uploaded.

      If most of your changes were made to the .css files, on the other hand, then they can likely be preserved. Our css files don’t change much, and older versions should work fine with the new back-end updates.

      If updating the theme is not an option, then the next best thing is to update the timthumb.php file. However, I do not recommend this as the best solution. To update the file, open timthumb.php and replace it’s content with the latest build:


      Next, apply the following fix to the file:


      I still recommend updating the entire theme as the best solution.

      • Thanks.

        I have decided to start over as the site is in text mode anyway, so I’ve installed a new WP site with the updated theme and got these errors:

        Warning: fopen(/var/sites/h/headlane.co.uk/public_html/wp-content/themes/TheCorporationTheme/style.css) [function.fopen]: failed to open stream: No such file or directory in /var/sites/h/headlane.co.uk/public_html/wp-includes/functions.php on line 4339

        Warning: fread() expects parameter 1 to be resource, boolean given in /var/sites/h/headlane.co.uk/public_html/wp-includes/functions.php on line 4342

        Warning: fclose() expects parameter 1 to be resource, boolean given in /var/sites/h/headlane.co.uk/public_html/wp-includes/functions.php on line 4345

        Any advice?


        • Its OK I made the same mistake I did before of uploading the wrong folder. Sorry.

          Best wishes

      • I do have a question about the Theme Options – these are not preserved? I have to go and set them all up again?

        • The theme options area preserved. You wont need to reconfigure ePanel.

      • Does this mean that we would save our css files to then re upload them to the new theme and everything we have changed in the css style sheet will be fine? Thank you for any additional info.

        • Yes, you should be able to re-apply your edited CSS files as these were not changed.

  9. I, for one, really need the external feature of Timthumb to pull lots images from Flickr and build a portfolio. So I can’t get rid of it…

    So I have the previous version of a specific theme with Timthumb and now I just have to replace the file for the latest version and everything will keep working. What about future theme updates? And what if I need to use some other theme (which I haven’t downloaded yet) with Timthumb to access external images?

    How would I do that if the script has been completely removed from the themes?

    • At this time the script has been from from all of our themes. So if you download any of them they will be clear. As for using timthumb currently, I wouldn’t recommend it. If you have to then I would be careful to monitor the theme for updates over the next for days/weeks and make sure you are using the latest version.

  10. I have made a lot of mods to my theme, in its layout, I have updated the timthumb script as instructed in the link provided.

    To update the epanel do i just upload the new updated theme folder one to replace the one I have?

    Will the new updates affect my theme layout directly?

  11. So, if I replace the theme, will it delete everything I already have made (custom graphics, etc)?

    • Replacing the theme will remove any customizations you have made to the theme’s code. However, most css/graphics changes can easily be re-applied. You can download your current images/ folder and your current .css files and use them with the new version. Trying to use old php files, on the other hand, will likely result in errors.

      • I don’t want to come off as too harsh, but it would have been nice if this had been clearly stated in the original update notification. It’s my fault I haven’t been backing up, but I had no idea I would have to download the custom css before updating the theme. Now I am inspecting every page to verify everything works correctly.

  12. I updated the memoir theme to the latest you have. All my posts use the custom field “Thumbnail” to place an image in each post. With the upgrade, all the thumbnails are broken. Apparently the custom field “Thumbnail” in the memoir theme no longer works, without the timthumb. Is there a way to code the themes so that the “Thumbnail” custom field continues to work but use the wordpress image engine?
    Because like me, there might be other people who have thousands of posts and were using timthumb to resize them. It would represent hundreds of hours to edit all the posts to use a different method to display the images. It would be much easier if the custom field “Thumbnail” remained, but was redirected to use the wordpress internal image engine to display the thumbnails.

    • The thumbnail custom field should work fine. Can you open a thread in the support forum? We will take a look.

  13. The instructions say to delete “your /cache folder.”
    Where exactly is this folder located in the file system???

    • This is located within your theme folder. For example:


  14. I’ve delete timthumb.php in the meantime.

    In order to upgrade my theme, I need to perform a “code merge” of my code customizations to the new theme versions.

    In order to figure out what my customizations are, I need to do a “code diff” of all my changes to the reference themes. That means that I need to get a copy of the old ElegantTheme versions as references.

    Is there a way?

    • Extract your original .zip file, like you did before uploading it, and you’ll find all of the original files in the theme’s folder.

      If you just want to see your “tweaked” verions, FTP into the account and copy them to your computer from the wp-content/themes/your theme name directory.

      You might consider making notes for each change/tweak you make in the future, such as in a text file. You can also save the forum pages that contain any customizations to your computer for later use.

  15. What theme did you stop using Timthumb? I have Chamelion, which I thought was not using that script, yet the file is in the theme directory.

    • If you still see the file then you should update to the latest version.

  16. Updates went smoothly, thanks Nick!

    I envisioned a bigger pain in the a$$ when I first started it for 2 sites, but didn’t want any open holes either.

    Glad you guys are on top of it here.

  17. Thanks for information I have changed my two themes

  18. Hello,
    I’m new and I need your help 🙂 because I’m confused.. When I update the theme how will affect my existed document and my web site. Should I re-upload whole document or ???

    • I’m also interested in knowing if I should edit my pages again. I know the pages wont be deleted. But how about the page properties settings and the theme options page. Are they lost?

      • Well now I did it anyway… the update. No problems here. Deleted the theme, installed it again. Some small edit here and there and the site is back online 🙂

        • Glad to hear it 🙂

  19. Just when i just finished to modify three of your themes :-(((((

  20. Hi!
    The update was perfectly smooth. I only had to edit the footer, put back the Language files and reactivate my plugins.

  21. Thanks for the update.
    I started using ElegantEstate a few days ago but just to be safe I checked the version and check log. It says its 2.8 and that timthumb was removed in the checklog, but in my version 2.8 I have timthumb.php… so do I have to start over?

  22. Hi – I am noticing on some of the templates there are some javascript errors when dealing with portfolio layouts especially when there is a video clip as a thumb…

    for example in feather and chameleon when you go to page templates>portfolio>portrait orientation the thumbs are missing and when you click on the vid clip to play in the lightbox it throws a javascript error about permission being denied to youtube.com to call method Location.to String

    I am on a ppc mac osx 10.4.11 using firefox 3.6.19 and safari 4.1.3. The issues are occurring on both browsers.

    • to clarify – I am referring to the previews on elegantthemes.com

  23. I made the update following the instructions in the email. Just a heads up for future such emails, PLEASE specify that customizations to php files and css need to be backed up before deleting the old theme. I lost hours worth of work 🙁

  24. I have used numerous elegent themes, can a list of all the themes using timthumbs be provided so i know which sites i must ammend? … please 🙂

  25. Why is it not sufficient jus to update the timthumb file if we’re ok to keep using it?

    I didn’t do a very organized job of all my customizations and would take a lot of effort to get things back how they are.

    Would any security issues still exist?

      • Wish I had updated timthumb….I updated mycuisine and it broke the slider. the featured.php still includes lots of references to timthumb, for example:

        $arr[$i][“use_timthumb”] = $arr[$i][“thumbnail”][“use_timthumb”];

        • Those are just the names of our internal functions. Timthumb itself has been removed from the theme. As for your image problems, please open a thread in the support forum so that we can take a look.

  26. I’ve opted for the replacement file of timthumb.php and it wipes out all the thumbs in the theme. How can you update the thumbs when you replace the updated timthumb.php file?

  27. Hi – I am getting a message saying: An error occurred while updating Aggregate: Update package not available..

    it happens with all the updates I am getting on my installed elegant themes. Any idea how to get the automate updates working?

    • ^ Can somebody please answer this question?

  28. Hi Nick,

    thanks for everything. I just wanted to react to the recent two or three updates of WhosWho that all came so quickly.

    I think for people with high amount of customization and translation work like me it is best to have bigger updates once a while rather than little updates every other week. It always takes a couple of hours of work to make the update live for me.

    Best regards,

    • We can’t hold back on fixing bugs I am afraid. If your are customizing the themes then I would suggest making a Child Theme instead. This way you can update the main theme without loosing your customizations.

  29. Hi Nick,

    I’m using many of your themes for various projects and I want to ask a question before I delete the current version and update to the latest.

    I’m using, for example eStore, and each post (ie Product) has extra info fields called ET SETTINGS.

    If I delete the old version of eStore, switch to temporary WordPress generic theme then upload new eStore, will these ET SETTINGS remain?

    Many thanks

  30. Hi Nick,

    Thanks for the update. I have followed your instructions. Now I need to knoe how to make the image slider on my homepage work – I have SimplePress theme – what do I do?


  31. Hi Nick, I too have used the updated timthumb.php file from the website you suggested and now all the thumbs can’t be found. X’s where the images should be.

    I just have too many customized settings to replace the whole thing.

  32. Hello Nick, I just aweek ago install dan use eleganttheme, so I no need reinstall, about the timthumb.php file as I am newbies look around where I find and use it? plss help step by step maybe not only me not understand about script issued, thk for help

    • You should upgrade to the latest version of the theme to insure that your theme is secure. To update your theme, simply download the latest version from the members area and then re-upload it via the WordPress Dashboard.

      • I’m getting errors when I try to update via wp backend.

        An error occurred while updating Envisioned: Update package not available..

        • The themes do not support automatic updates I am afraid. You will need to re-download the theme from the members area.

        • Hi Flo, me too but I went to change another theme call then delete your existing theme, don’t afraid losing the entire file. after that you can install it the same theme which you use before, success then all file content still there. good luck

  33. Hi Nick

    I’ve managed to download/upgrade/reinstall TheStyle (2.2) but need help with formatting boxes on all pages which are now adjoined rather than discrete (with borders). Where/how can I reclaim previous formatting?

    Thanks in anticipation,


  34. Will my ET Settings remain if I delete a theme which is using these fields? I want to update my theme to the latest version but I’ve got fields entered in my ET settings.

    Can you let me know what happens?

    • All of your ePanel settings will be preserved when updating the theme.

  35. Just added the new script.
    Will update theme later.

    Thanks for the warning.

  36. Hi Nick,

    I upgraded to the Aggregate Theme to v1.5 a few hours ago and noticed a Thumbnail Issue. In a previous statement you said, one has the choice of using “Featured Image” or the old “Thumbnail” Custom Field should work.

    Thumbnails with Featured Image work fine, but my older posts that used the Thumbnail Custom Field are now broken. None of those thumbnails work.

    • Please send me an email and I will take a look.

  37. Do you know how the problem manifests itself? Visitors to my site started getting malware warnings today. I updated the theme but the problem is still there.

    It’s apparently showing an alert for “HTML:script.inf” A Google and host company scan showed no problems. I’m going nuts trying to figure this out. Thanks for all the support.

    • I am afraid that if you waited until after your site was hacked to update the theme, then updating the theme will not fix the problem. In addition, you will also need to clear out any malware that was added to your website’s files to fix whatever problems are now occurring. If you send us an email with your FTP login details I’m sure that I can fix it for you.

      • That would be awesome Nick. What email do I sent ftp stuff to?

      • I sent you a PM. Thanks!

      • Same with me. I have deleted all necessary files but cannot find “” in any of my php files.

        • Please send us an email via the contact form if you need help.

  38. The timthumb hack is fairly easy to remove. The hack adds some files here and there, but are fairly easy to identify, if by no other means then the date of their entry, which likely doesn’t match up to any other dates of files created.

    That said Nick, do you think you’ll be sticking the timthumb2 into the themes or will it be described as a required plug-in?

    And speaking of descriptions, most of your themes tout timthumb for its obvious benefit of a single download. Will you be deleting that from your website to avoid confusion and misrepresentation?

    You still have the best themes , but timthumb is sorely missed.

    • I don’t have any plans to add timthumb back at the moment. Perhaps after it has stood the test of time.

      • Hopefully you’ll get comfortable with it shortly. It really does make a difference in the utilization of the sliders since they’re rectangular, while the thumbs are square. I’ve already seen several developers replacing it with the updated version, but perhaps erring on the side of caution is best.

      • Also just noticed you’re separating the theme from the PSD files. Very clean.

      • And I would note that installing a picture in the Featured section or using a custom field Featured for it, does not include that picture in the home slider. At least not on SimplePress. So you have to upload a 954 x 375 picture as the Thumbnail in order for it to work, and then you can’t use that page or post because you no longer have a Thumbnail that’s not skewed. Hmmmm.

  39. Hi
    I notice that I also have a couple of files called…
    timthummbold.php and thumbnail.php
    Are those files OK?


    • You should no longer need these files with the latest version of the theme. Any instances of timthumb should be removed from your sever.

  40. I’m on Bold 3.0, how do I update it to the latest release? I’ve never updated my theme before. Thanks!

  41. For me, I updated the timthump.php and updated to the newest wordpress and that pretty much fixed it for me.

    After updating the timthump.php, the warning was still there for all of my pages, but I had failed to upgrade to the latest WordPress and so after I did that latest upgrade, the site was functional again.

  42. I just want to confirm before I make this attempt….will my ePanel settings stay in place despite deleting the entire theme? Then when I upload the new version, they’ll be picked up automatically somehow?

    • Your ePanel settings will not be lost when you upload the new version of the theme. They are saved to the database.

  43. I did the new install but get the following:

    Fatal error: Call to undefined function wp_basename() in /home/dfwcat5/public_html/wp-content/themes/WhosWho/epanel/custom_functions.php on line 552

    Line 552 is:

    $name = wp_basename($thumb, “.$ext”);

    Any ideas?

    • Are you using the latest version of WordPress?

      • Nick,

        Updated WP and it works now.


  44. I can’t load the 8 photos on the listing and the listing information doesn’t show up either. Why? Is the ElegantEstate skin functioning properly?

    • Please open a thread in the support forum so that we can assist you.

  45. Nick, are you positive that all your themes are now completely safe? I deleted all the themes, installed them fresh again and got hacked again.

  46. I downloaded the MAGNIFICENT theme a couple of days ago thinking that I got the “CLEAN” theme with out the timthumb.php scrip and I just got hacked so I just downloaded it again and I just checked and the file timthumb.php is there. I thought you siad that your themes do not have that file anymore?

    please explain

    • I am 100% positive that the file is not included. Just download the theme and unzip it on your computer to check.

  47. I correct myself. The theme version I just downloaded does not have the timthumb.php file

  48. Where would i find the timthumb.php file

  49. Hi! I reinstall wp and the new Artsee theme again, but i can’t see my pages on my site, i dont have any idea. Please tell me what is different in this theme. I have pages but non of them can see on the site and yes it is public pages, and by theme options i don’t set it wrong in ‘Exclude pages from the navigation bar’….
    help me plíz! Thx!

  50. Hi,

    When I choose ‘featured image’ how to get ride of TimThumb. It comes up as a default but i don’t want to use it in some posts?


    • You should update to the latest version of the theme, as it does not include timthumb.

  51. Nick, It would be nice to see there be a way to update the themes without overwriting customizations. I know that’s kind of an oxymoron in ways, but if you provided detailed info about files that had changed, maybe it would help people like me who have made extensive customizations to the theme. Obviously some customizations have to be made in just about every case, so this is probably a need for many. Something to keep in mind for future development. Thanks.

    • If you are making customizations then its best to use Child Themes. This way you can update the parent theme without loosing your modifications.

      • Thanks. I’ll look into child themes.

  52. Thanks for your updates.
    I have two questions.

    First, is there any plan to make these update to be automatic from WordPress Dashboard? I think automatic update is more convenient for us.

    Second, can you provide a version number suffix to the zipped theme package download in Member Area? Such as Magnificent-2.1.zip, to avoid misuse of the latest and older version of the themes. And so we could easily compare the themes in Member Area and the themes we’ve downloaded.

    Thanks again.

  53. Help!

    I have updated 2 of 3 websites I own with new themes and gone back and fixed things I needed to – like putting the new logos back up.

    However – I must be missing a step – I am still getting the malware alert.

    I have deleted ALL other themes other than the standard ones that come with WP. I don’t want to tackle my biggest site since I have changes to the letting, fonts and so on until I can figure out what I am missing.

    I have 3 sites – drscoundrels.com, unvarnishedshow.com and hogwildspices.com

    I looked for the cache file under the location you mentioned to someone else – can you email me and let me know if there is something else besides turning the theme off – deleting it completely – installing the newer version downloaded 9/4 and deleting the cache file, which I can’t seem to find?

    Please help – trying to start a new business and don’t want to send customers to a site where they will get malware alerts


  54. Update – upon reinstalling WP 3.2.1 I have gotten rid of the malware alerts on the pages themselves – BUT – and this is the weirdest part – I get a malware alert ONLY when going into my dashboard.

    What in the heck could be causing that – especially on a site with no widgets and only akismet and ECWID plugins – and on the second site, ECWID isn’t on that.

    Curiouser and curiouser.

    Both sites are fresh reloads of the newest themes – One is EVID – one is TheProfessional.

    • Have you tried clearing your browser cache?

  55. This is obviously an easy question but I have stared at appearance–>themes and am unable to see how to delete my current theme. I was able to delete other themes easily via the “delete” button but do not see anything close on my active theme. Help?

  56. Hi Nick,

    First off, thanks for the wonderful themes. When I try to use the custom field, I get nothing for thumbnails or on the slider. When I use the Feature Image, the thumbnails are cut in half and the text wrap is not wrapping. I do not have a cache folder or a timthumb.php in my theme directory. I read that timthumb and cache have been removed, but it still says that the cache needs to be set to 777. I don’t understand. Thank you for your help and great themes.

    • GUYS!!!!


      just simply create “.htaccess” on “/cache” with this word “deny from all”

      NOTE: Nova Themes and Webly is the most popular themes and many domain are being compromise because of this hole..Upgrade timthumb!

  57. Interestingly, I uninstalled boutique 1.6 today so I could install boutique 1.7 (since it didn’t allow an automatic update) After installing 1.7 it acknowledges that 1.7 is installed and it still says it needs updating to 1.7
    Anyway, I have just started with this theme and it looks promising to use it for mrlarrystore.com.
    Hopefully, it will allow for automatic updates in the future.

  58. Hi Nick,

    I have spent hour and hours to make the Estore or Boutique themes to work on external images. I am new to WP and using a datafeeder to get the products from affiliate stores. As using custom fields to add the image url (as products uploaded in bulk ) it doenst capture the thumbnail (as you say WP would do that anymore )

    How we will be able to use your theme for bulk product listing and affiliate shops?

    Please help..:(

  59. We were hit with this and bluehost took us down. We had an updated theme, still do. (Maginificent theme) I updated the timThumb yet the newly instelled “timthumb vulnerability scanner” reports we are still infected. I am forced to keep watch on our cache to delete anything popping up as that is where it ends up being detected by the host provider. I now have us in Maintenance Mode and trying to look over options. Ugh. This was my internship work, I graduate in May. IF this can now get fixed, of course. 🙁

    • I would suggest updating to the latest version of the theme that does not include timthumb.

      • I see no such version, just that it still states it uses timthumb, unless such a version is expsed in the members area? (Another club member has that access so I cannot see what she sees) Do you have a URL I can send her for the theme “Maginifcent” without the Timthumb by chance? Thanks!! And we have been hacked I believe so may go fresh install from scratch.

  60. Has there be some bug with the old Chameleon Theme 2.0? It used to work perfectly on my site, but ONLY till recently that the visuals on the featured slider isn’t showing up anymore. 🙁

    Do advise!

    • Please open a thread in the support forums so that our tech support team can assist you.

  61. Hey There guys, ok so now timthumb.php no longer exists, whit is the php file that resizes the images on the fly? The reason I ask is I upgraded hosting to be using cloud hosting and a CDN to deliver images, and now all the image paths for thumbnails created on the fly broke. How to I get around this?
    I located this post on a fix http://blog.gingerlime.com/thumbs-up/ but need to know the file that does all of the resizing…

  62. Okay so I’m a bit confused. I am using TheCorporation template and I see timthumb being used in the templates. Does this mean it’s still being used or it’s been removed (deactivated) but traces of it still exist? I just downloaded it about 5 days ago.

    I need to know if I’m going to have security issues with this template or if it’s safe to use now. Thanks.

    • If you are using the latest version of the theme, then it does not include Timthumb.

  63. I did Today the upgrade from the security hole of timthumb.
    I think that wordpress is only security holes.

  64. I have just installed the theme Sky and ran theme check on it. It came up with numerous errors. Is there a fix for this as I have purchase the developers version and feel I didn’t get what I paid for if the theme has vulnerabilities. Please help if there are fixes that I can apply.

  65. I do recall going through this update 2 years ago and after some research It was resolved – But if I only I had stumbled it this article back then, it definitely would bring light to the situation.

  66. My website have been hacked 3 or 4 times before discovering it was due to the timthumb vulnerability!

  67. I was just updating someone’s site, they used to use an elegant theme but changed a few years ago

    I ran all the WordPress updates which then told me that many of the plugins and themes needed updating.

    No problem I selected all plugins, updated them, I then selected all themes and updated those too.

    I then run the TimThumb vulnerability scanner plugin only to find your theme was STILL VULNERABLE.

    I appreciate that if people want to update to the latest versions of themes with say responsive support they should pay for the latest version but I see this as a maintenance and safety release that you should perform via WordPress.

    You have sold many many thousands of themes and people are at risk just by having an old elegant theme installed because the PHP file is there and all they have to do is run the following command line cycling through your theme names.


    I will be posting a warning on WordPress.org

    I think that you have a DUTY OF CARE to fix bugs you created (by including the code) automatically via WordPress update.

    • Timthumb was removed years ago. Please log in to the members are and download the latest version of the theme you are using.

Join To Download Today

Pin It on Pinterest