WordPress.org

Support

Support » Themes and Templates » [Theme: Yoko] Theme uses outdated TimThumb (you will be hacked if you use it)

[Theme: Yoko] Theme uses outdated TimThumb (you will be hacked if you use it)

  • Jason Paul

    @jasontrasaterracom

    Just wanted to put a warning out there. My site was hacked because I’d been using the Yoko theme which hasn’t been updated in a very long while. Long enough to still be using an outdated TimThumb plugin. For some reason I’d never checked if Yoko was using TimThumb or what version. Anyway, I noticed that my site was infected with the Pharma hack because of it and promptly had to clean things up.

    http://wordpress.org/extend/themes/yoko/

Viewing 6 replies - 1 through 6 (of 6 total)
  • esmi

    @esmi

    Forum Moderator

    Long enough to still be using an outdated TimThumb plugin

    I find that highly unlikely. Themes using Timthumb haven’t been allowed in the Theme Repo for a long time. Certainly from before the security issues. I also downloaded a copy of theme to check and, sure enough – no thimthumb script that I could find.

    Jason Paul

    @jasontrasaterracom

    ah, i just looked over the security report again and it turns out I misread and the bad TimThumb was in a plugin. Feel free to delete this thread

    esmi

    @esmi

    Forum Moderator

    Can you recall where the plugin was downloaded from? If it was from WPORG, then it needs to be pulled.

    Jason Paul

    @jasontrasaterracom

    I ended up deleting all unnecessary plugins, but this was the culprit as far as I can tell from the report (and I’m nearly positive it was kept up-to-date)

    /plugins/onswipe/framework/thumb/thumb.php

    esmi

    @esmi

    Forum Moderator

    This one perhaps: http://wordpress.org/extend/plugins/onswipe/
    It does contain timthumb, so I’ll alert the plugin folks just in case

    It contains a patched version (version 1.2 or so was the vulnerable one). The latest version is 2.8.10, and the plugin has 2.8.5, so it’s unlikely, but possible. Looking further into it.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Theme: Yoko] Theme uses outdated TimThumb (you will be hacked if you use it)’ is closed to new replies.