Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either
To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.
Just like that, you’re done. Quick and painless.
Note: If you’ve already been hacked, this will NOT clean up your site. This plugin fixes your door lock – which doesn’t matter if the burglars are already in your house.
Let me know of any problems or questions you have in the comments.
Good luck!
EDIT
Looking for a solution to scan a whole server, or a site not running on WordPress? By sort-of-popular demand, here it is:
http://codegarage.com/plugins/timthumb-full-server-vulnerability-scanner.zip
It’s much less polished, and much less tested, so use at your own risk.
Hi i get this error CAN’T OPEN VULNERABLE FILE FOR WRITING
If anyone can help because i havent find an answer yet !
Thanks a lot
same error here CAN’T OPEN VULNERABLE FILE FOR WRITING
Hi,
Thanks for the plugin. Had to fix quite a few problems..
mintan,
Many thanks for your work!
Hope to see you soon in Italy.
Marco
Thank you for this helpful plugin. And thank you for you service.
Poorly your plugin found some vulnerabilty. 
Kind regards,
Max
much appreciated. Only a couple of hours to build? nice!
It would be really good to have a general “secure my website” plugin that scanned for a bunch of outdated stuff 
p
Really this should be part of WP update
Many thanks from Germany, your Plugin works great!! 
Hi really helpfull article and plugin. I just confuse why all my images not apear then asking server they tell me that they turn off cache/upload directory cause of somebody trying to hack my site via Timthumb.php
Now this plugin is helfull to monitoring Timthumb.php file.
Thanks a lot for this usefull article and plugin.
I am using the “Better Word Press Security” Plug-in, as a step in securing the site the “wp-content” directory is changed to something other than the default. (i.e. from “wp-content” to “hackers-blow”)
Does the scanner look in the directory that the name has been changed to?
If not is it possible to direct your plug-in to a non default content directory?
April 17, 2012
Hi,
I have a good timthumb script that it is just fine (as someone else reported here too) so I ignore the ubiquitous warning that appears here and there: “1 vulnerable Timthumb file found. Fix it here.”
However, suddenly I got this warning today:
Warning: Cannot modify header information – headers already sent by (output started at /home/example/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php:251) in /home/example/public_html/wp-includes/pluggable.php on line 866
There is no signs of hacking so I disabled the plugin and the warning disappeared. There seems to be no problem in the site, but I’m not 100% sure.
Then I deleted the plugin and reinstalled it again. The warning vanished. What happened?
Andreas