Support » Plugin: Timthumb Vulnerability Scanner » Wist List forTimthumb Vulnerability Scanner

  • Hello Peter,

    This is a fantastic plugin and thank you for creating and maintaining it – you have made WordPress a much safer place.

    If there is a Wish List/Change Request Roadmap for Timthumb Vulnerability Scanner may I ask for two small tweaks if you think they are appropriate?

    Would it be possible to include a two on/off checkboxes to perform the following functions, “1 – Auto-Update TimThumb if new version available” / “2 Email Admin if new version available or Auto-Updated”.

    If both options are selected then the Admin would get an email if auto-update is performed.

    Thank you again for this plugin – it has found the back-level versions of TimThumb included in all sorts of obscure places.

    Kind regards,

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Peter Butler


    Hey Amanda –

    Great points! I think these could (and maybe should) both be implemented, but I want to understand the reasoning behind them.

    My first instinct was to say that these features don’t have much utility, because if a vulnerable version of timthumb is showing up, it’s because you’re there, installing a plugin or a theme. However – that implies that you’re always going to have the discipline to go and run the scanner after every timy ou install a plugin (or log in within a reasonable timeframe, so you’ll be alerted by the scan running on a cron). I guess that’s not always the case – and I suppose there are situations where a client, or non-technical user is installing a theme or plugin (not a great idea, but I’m sure it happens).

    Anyway – I’d love to hear the use case you’re trying to solve, but I think it probably is worth adding those features. I’ll try to get to that sometime this week.


    Hello Peter!

    My original thoughts behind it is that IF/WHEN a new vulnerability is found in the TimThumb script AND an update made is available – owners of WP installs that don’t monitor their Dashboard are alerted

    My assumption is that the today – the scanner runs on cron and without the need for the user to log in for the alert to be generated – that the message is just waiting there for someone to go see it.

    Also as you have identified – if a backlevel plugin/theme is installed either by a user that’s not qualified to identify the problem – then someone who is would be alerted.

    My own personal experience is using an auto-update pluging such as WP Remote – all bases are covered.

    Thank you for considering this – it is a really cool feature and I hope and expect that theme & plugin authors who include TimThumb in their code also bundle this plugin!


    Plugin Author Peter Butler


    Ah. Valid points Amanda. I’ll get to work.


Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wist List forTimthumb Vulnerability Scanner’ is closed to new replies.