WordPress.org

Support

Support » Plugins and Hacks » Verve Meta Boxes » [Plugin: Verve Meta Boxes] Security vulnerability

[Plugin: Verve Meta Boxes] Security vulnerability

  • It appears that the latest version of Verve Meta Boxes includes an outdated version of timthumb.php in /tools directory. There is a known security risk with this version of timthumb.php. Hackers can exploit this file to upload malicious scripts to your site.

    Simply having the plugin on your site even if not activated still means you are at risk because the file is still publicly accessible.

    In my testing, I was able to simply replace the entire contents of timthumb.php with the latest version of the script which is much more secure. The latest source code for timthumb can be found here: http://timthumb.googlecode.com/svn/trunk/timthumb.php.

    Doing so did not affect the ability of Verve Meta Boxes to perform as normal, in my case, however as always change this at your own risk. From what I can tell (and I’m no expert) it appears that Verve Meta Boxes simply uses timthumb to display an image you upload on the edit screen.

    I’m in no way affiliated with this plugin, I’ve just used it on many websites I’ve created and want to save people the trouble of dealing with a hacked website. I already had to remove malicious code from one of my sites.

    More information about the vulnerability in timthumb can be found here: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

    And here: http://news.softpedia.com/news/Timthumb-Driven-WordPress-Attacks-Continue-216969.shtml

    And here: http://weblog.mediatemple.net/2011/08/02/security-update-timthumb-php-vulnerability/

    If you don’t feel comfortable editing the timthumb.php file, I recommend removing the plugin from your site until the developers properly address this.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author avenueverve

    @avenueverve

    Hi johnnyfish19,

    I will confirm that you can just drop in the new version of timthumb.php into verve-meta-boxes plugin and everything will work fine. You are also correct in that timthumb.php is only used to display image on edit screen.

    I have an upgrade to timthumb.php as part of the next release, currently in testing phase.

    Where is the Verve Meta Boxes plugin download link?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: Verve Meta Boxes] Security vulnerability’ is closed to new replies.
Skip to toolbar