Support » Plugin: Shortcodes Ultimate » [Plugin: Shortcodes Ultimate] SECURITY FLAW (TimThumb exploit)

Viewing 9 replies - 1 through 9 (of 9 total)
  • Mark (podz)

    (@podz)

    Support Maven

    Did you email the author to let them know or just post here?

    The author seems to be actively monitoring this forum, so I’m sure he’ll see it. I wasn’t able to find any other contact info.

    Mark (podz)

    (@podz)

    Support Maven

    I have also emailed them so it should be addressed soon.

    Plugin Author Vladimir Anokhin

    (@gn_themes)

    Hi all.

    No need to use my email for these reasons, it’s only for translators.

    Script timthumb, included in the plugin, was updated in 3.2.1 and now safe.

    http://wordpress.org/support/topic/plugin-shortcodes-ultimate-this-plugin-is-on-the-list-of-hacks-1?replies=5

    The current version uses TimThumb 2.8 which is better than the older versions, but still not 100% safe. I’d recommend to upgrade to the newest one 🙂

    http://code.google.com/p/timthumb/issues/detail?id=273

    Plugin Author Vladimir Anokhin

    (@gn_themes)

    Ok, thanks for report. I’ll put it to the TODO list.

    Why must I read this before posting, It have costed me a LOT of trouble, I want people to be safe using Plugins, NOT LIKE THIS! If its still OUTDATED it is STILL NOT SAFE!
    My site is now BLACKLISTET because of this Plugin. Everyone must have the right to know about the risk using a UDDATED PLUGIN!

    Plugin Author Vladimir Anokhin

    (@gn_themes)

    You can just not use this plugin and have no problems.

    PS – I do it absolutely free, and will be grateful for the friendly chat

    Hi!

    @gn_themes: first of all, thank you for the great plugin. I truly believe this is a nice tool for WP and I am grateful to you for dedicating your time to developing this for the community.
    Having said that, I had emailed you long time ago about the timthumb vulnerability (which I unfortunately found out about the hard way as one of the sites I managed got hacked) and never received a reply.

    It should not be so hard to keep updated with this issue, which is now known since months as a known security flaw.

    Currently, you’re using v2.8.5, which should be safe (v prior to 2.8.2 are considered not safe), but the latest version is 2.8.9 and it seems to run without issues with Shortcodes Ultimate.

    At any rate, a free plugin is available that scans for timthumb library (there could be multiple copies in case there is more than 1 plugin using it) and can also automatically upgrade it to the latest version. You can search on the repository for “Timthumb scanner”.

    Hope this helps.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘[Plugin: Shortcodes Ultimate] SECURITY FLAW (TimThumb exploit)’ is closed to new replies.