Support » Theme: WP-Creativix » Potential THREAT: WP-Creativix "Free" Theme

  • I got a note from Hostmonster today saying there was a problem with WP-Creativix theme involving a timthumb.php file.

    I’m not sure if this is on purpose to exploit users, or if they just need to update (see more info below)

    I am a designer, not a developer, but they said…

    We have found and corrected exploitable timthumb.php file(s) on your account…The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.
    >
    > Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files. Note that patching the files requires more in-depth knowledge of the PHP scripting language.”

    Just wanted people to know.

Viewing 5 replies - 1 through 5 (of 5 total)
  • They/you just need to update the timthumb script, I doubt this theme author is being malicious.

    This is a common issue that the bigger hosts will alert you to – oftentimes the host will also include an updated version of the script. You just then overwrite the old version of the script with the new one via FTP. I’ve had to do this a few times myself.

    I understand. HM did that for me, then I looked for others.

    I’ve had a few problems with my hard-drive lately, and they were after this was discovered. (Probably not connected at all, more likely related to my vector habit) but I wanted to mention it on the WP-Creativix theme page in the forum for anybody who was going to download it, so that they could fix that issue.

    I’m sure they are aware of that type of problem with timthumbs. Just maybe they didn’t remember to do it.

    I meant only to be helpful.

    what version of the theme are you or were you using?

    the current version of WP-Creativix is 2.5 and it does not seem to contain a ‘timthumb.php’ file in its /script folder

    – simply consider to upgrade to this latest version (unless you have made direct edits to your theme)

    I don’t think I have the latest version. I apologize for your trouble. Please let me know where I can get the latest version and I will uninstall and reinstall.

    Thanks for your patience.

    The latest version is here:

    http://wordpress.org/themes/wp-creativix

    or via your Dashboard.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Potential THREAT: WP-Creativix "Free" Theme’ is closed to new replies.