Timthumb Vulnerability Scanner
Wist List forTimthumb Vulnerability Scanner (4 posts)

  1. Amanda & Steve
    Posted 4 years ago #

    Hello Peter,

    This is a fantastic plugin and thank you for creating and maintaining it - you have made WordPress a much safer place.

    If there is a Wish List/Change Request Roadmap for Timthumb Vulnerability Scanner may I ask for two small tweaks if you think they are appropriate?

    Would it be possible to include a two on/off checkboxes to perform the following functions, "1 - Auto-Update TimThumb if new version available" / "2 Email Admin if new version available or Auto-Updated".

    If both options are selected then the Admin would get an email if auto-update is performed.

    Thank you again for this plugin - it has found the back-level versions of TimThumb included in all sorts of obscure places.

    Kind regards,


  2. Peter Butler
    Plugin Author

    Posted 4 years ago #

    Hey Amanda -

    Great points! I think these could (and maybe should) both be implemented, but I want to understand the reasoning behind them.

    My first instinct was to say that these features don't have much utility, because if a vulnerable version of timthumb is showing up, it's because you're there, installing a plugin or a theme. However - that implies that you're always going to have the discipline to go and run the scanner after every timy ou install a plugin (or log in within a reasonable timeframe, so you'll be alerted by the scan running on a cron). I guess that's not always the case - and I suppose there are situations where a client, or non-technical user is installing a theme or plugin (not a great idea, but I'm sure it happens).

    Anyway - I'd love to hear the use case you're trying to solve, but I think it probably is worth adding those features. I'll try to get to that sometime this week.


  3. Amanda & Steve
    Posted 4 years ago #

    Hello Peter!

    My original thoughts behind it is that IF/WHEN a new vulnerability is found in the TimThumb script AND an update made is available - owners of WP installs that don't monitor their Dashboard are alerted

    My assumption is that the today - the scanner runs on cron and without the need for the user to log in for the alert to be generated - that the message is just waiting there for someone to go see it.

    Also as you have identified - if a backlevel plugin/theme is installed either by a user that's not qualified to identify the problem - then someone who is would be alerted.

    My own personal experience is using an auto-update pluging such as WP Remote - all bases are covered.

    Thank you for considering this - it is a really cool feature and I hope and expect that theme & plugin authors who include TimThumb in their code also bundle this plugin!


  4. Peter Butler
    Plugin Author

    Posted 4 years ago #

    Ah. Valid points Amanda. I'll get to work.


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Timthumb Vulnerability Scanner
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.