Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either
To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.
Just like that, you’re done. Quick and painless.
Note: If you’ve already been hacked, this will NOT clean up your site. This plugin fixes your door lock – which doesn’t matter if the burglars are already in your house.
Let me know of any problems or questions you have in the comments.
Good luck!
EDIT
Looking for a solution to scan a whole server, or a site not running on WordPress? By sort-of-popular demand, here it is:
http://codegarage.com/plugins/timthumb-full-server-vulnerability-scanner.zip
It’s much less polished, and much less tested, so use at your own risk.
thanks for releasing this plugin – really help us as a blogger. great plugin, work and scan easily and the result for my site is “Vulnerable Timthumb Files: No Vulnerabilities Found! ” 
The plugin scan says I need to fix the timthumb in your plugin… I get this message on my windows server 2008 R2 hosted sites—-
Vulnerable Timthumb Files:
Fix cg-tvs-filescanner.php (found at C:\inetpub\YourDomain/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php)
Does this have anything to do with write access to a directory?
After running your script, our site crashed:
A TimThumb error has occured
The following error(s) occured:
No image specified
Query String :
TimThumb version : 2.8
We can’t even get in to wp-admin, and attempts to manually roll back the impacted files have not helped. Any suggestions?
Having same problem as person above and have not got that plugin installed. The timthumb was in a theme folder. Have emailed you!
hiya peter and thanks, but…
a/ there’s no mention of multisite compatibility
and
b/ i’m most surprised *from a quality coder like YOU* that there’s no version number on the zip file -or- in the readme.txt file 
looking forward to your comments
sarah
ps: http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/download/ states that v1.1 is the latest release!
i know things are moving fast, but under the circumstances i’d have thought WP.org would have worked closer with you
thanks again
s
It’s a great plugin, but after run it on my site it crashed. There is a problem with wp-thumbie plugin. The whole admin area was out.
hey again!
having watched your video – twice – and reading your comments/replies, i’ve no doubt whatsoever that you are indeed a ‘quality coder’!
thanks for the positive feedback i look forward to knowing exactly what version i have (either by the file name -or- at the top of the readme.txt document )
please keep up the AMAZING work – the wordpress community needs peeps like YOU!
Thank you very much for this plug-in!
I’ve postponed fixing this bug on my site after a warning from my theme-maker. Thanks to your plug-in it was easy to check (and fix if needed)!
Hi there,
I was hacked – all of my sites where infected, so I am now working hard to have them all online very soon. I wish I had this tool a bit earlier – would have saved me alot of time. But ok – I am glad we now have a plugin to control and hope, this will never happen again.
Habe a nice day
Irene from Germany
Little did I know this vulnerability existed in a plugin and my site’s theme. And when I knew about this plugin, and how it could fix the nasty loophole, I wanted to thank the creator of this plugin. So, here I am, thanking you for this wonderful plugin.
There were two vulnerabilities found and fixed! I guess that was pretty easy.
I thought I had it all covered, but your plugin found some timthumb files deeply hidden in an old theme. Now those are repaired so no more worries about getting hacked.
Thanks Peter!
Thank you so much for making this plugin. I have bookmarked your site as the service you are offering looks very good and it is clear that you know what you are doing by making a plugin like this.
Thanks again.
Thanks so much for providing this plugin! It seems to work great, though I did find that it fails to see one instance of TimThumb. It doesn’t seem to scan inside the functions folder in a theme folder. In the case of WooThemes themes, they have moved thumb.php into the functions folder. Scanning a few WooThemes sites, it doesn’t detect v2.8 of TimThumb existing in the functions folder.
Hm- While it’s not a huge deal if it’s version 2.8, it SHOULD still be found, and plced in teh “Safe files” list. I’ll see what I can find out.
If you need more info, feel free to e.mail me. And yeah, the file is safe, I just didn’t get the warm and fuzzy feeling that the scanner didn’t tell me it was safe. Would like to know that the scanner truly is looking at everything under wp-content.
Any update to this? It’s still happening.
Peter, I notice that all of the screenshots of this plugin only find the file if it is named timthumb.php yet many of the affected copies were renamed by theme and plugin developers to be everything from thumb.php to icons.php and more. Is this actually scanning at the code level for ALL files or is it only content scanning for those files that are named timthumb.php which would create a false sense of security? Also is the plugin actually reading for the vulnerability itself or only looking at the versioning? For example Thesis uses a very old copy of timthumb that was BEFORE the vulnerability was introduced and is not affected. Is this plugin going to report that as safe or vulnerable?
Kim
PS: Subscribing to comments by email, look forward to following up with you.
Hi – Great plugin – Thanks!
I do get this before the scan –
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /home/everyt27/public_html/blog/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php on line 32
Warning: array_merge() [function.array-merge]: Argument #1 is not an array in /home/everyt27/public_html/blog/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php on line 32
Can you advise?
Can’t thank you enough for creating this plugin – simple to use & it works…can’t ask for more really!
I was vulnerable so glad I used this…
Ran this on my test server to test it out, and it bombed with lots of errors that say “Warning: preg_match() [function.preg-match]: Compilation failed: unknown property name after \P or \p at offset 28 in C:\wamp\www\wp\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 81″ and then one final one that says “Fatal error: Maximum execution time of 30 seconds exceeded in C:\wamp\www\wp\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 8″
Thanks for your diligence! This has saved me and many others a lot of grief.
Hi,
My site got hacked and tried to fix them myself after. I tried to use this plugin and I got these messages:
Warning: Cannot modify header information – headers already sent by (output started at C:\Inetpub\vhosts\domain.com\httpdocs\wp-admin\admin-header.php:34) in C:\Inetpub\vhosts\domain.com\httpdocs\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 410
A TimThumb error has occured
The following error(s) occured:
Could not create the file cache directory.
Query String : page=cg-timthumb-scanner
TimThumb version : 2.8
What should I do? I don’t have any good knowledge with codes.
I need help please, any suggestion to fix my problem?
Hi there,
Thanks for this plugin! It’s worked on many of my sites and is wonderful! But now I’m getting this error message when I click Scan:
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /home/fungsh2/public_html/brightbodyfitness/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php on line 5
Don’t know what I need to fix in the file. Can you help? I’m running on WP 3.1 and using Thesis 1.8. (can’t update WP to 3.2.1 as my host is running PHP 4.4.9 and not higher.
Thank you!
I have a single shared hosting account with possibly 200 timthumb files scattered across hundreds of WP installations. Do you know of anyone that has modified this script to search a wider range of directories?
Hi Peter,
Thanks for this plugin. I implemented this in my (attached) website, but could not perceive any threats. I know for sure that the blog has been hacked (I can see external links in the page source, but I never put them in). Could you suggest what I could do? I used Timthumb scanner. Interestingly, I checked my files in hostgator, and I don’t have timthumb.php or thumb.php in my folders.
Much appreciated!
If you lived next door, I’d bake you guys free bread for life. As a faux techie, I’ve been pulling my hair out over the Tim Thumb thing for a couple weeks now. Thanks a million!
Hi,
Thanks for the plugin. Had to fix quite a few problems. Hope no damage was done.
Nik
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
Hi, love the idea of this, but when i hit scan, NOTHING happens. Any idea why ? thanks
Fix for version 1.3 to make this plugin work on Windows servers. Tested on a WAMP installation.
Peter,
Thanks very much for this. The scanner just updated itself and upon re-scanning, found the culprit. A client website is now running beautifully. Just got to get them to flesh it out now.
Thanks again
John
Hi there
I LOVE this plugin (assuming I’m all clear!!! ;o)
I manage to run it fine and it comes up with the problems fine but it also list these 2 as vulnerable also
cg-tvs-filescanner.php the path is listed as /wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php
class-cg-tvs-filescanner.php the path on this one is /wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php
One one site for example I had these 2 and 3 other files identified. Upon checking the box on all 5 I got an error ;o( However, if I did not check the boxes on the 2 above the others were fixed fine.
SO – my questions is whether the 2 above are actually part of your plugin and ok? If not then do they pose any risks not being “fixed” as they say?
I am on a windows server if that helps?
thanks for your help!!!!
Great plugin, works like a dream and works like advertised. What a useful time saver.
Thanks for the hard work!
WOW!! Thank you so much for this!! I’m just a beginner with all of this stuff and your plugin saved me a bunch of time and I can move on with my site development with the peace of mind knowing my timthumb is up to date!!
THANK YOU!
Hi there,
I instaled your plugin but he gives me the next error when I run the website scan.
“Warning: preg_match() [function.preg-match]: Compilation failed: unknown property name after \P or \p at offset 52 in E:\inetpub\vhosts\nutratec.pt\httpdocs\wp-content\plugins\timthumb-vulnerability-scanner\class-cg-tvs-filescanner.php on line 46″
Can you help me?
Thanks
JD
Question — why does the plugin not realize the latest version is 2.8.4?
It appears that 2.8.5 of TimThumb is out now though Timthumb Scanner states that 2.8.4 is the latest. I’m also having an issue where 2.8.2 is detected as out of date, and when I select the files to be upgraded, though the plugin states that they are updated, they aren’t [a refresh of the page confirms that, as does looking at the actual files themselves]. Screenshot: https://skitch.com/vjl323/gwuka/timthumb-scanner
TimThumb use “base64_decode”?
I had 2.8.4 of TimThumb installed, and used this Scanner Plugin to update to 2.8.5, but it actually downgraded me to 2.8.2? Am I missing something?
Hello. I get this message when scanning: Warning: Invalid argument Supplied for foreach () in / home / go / public_html / wp-content / plugins / vulnerability-scanner-timthumb / class-cg-tvs-plugin.php on line 115
Aparece este mnensaje:
Warning: Invalid argument supplied for foreach() in /home/fsagroco/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php on line 115
Hi Peter. Using 2.8.8, I am getting this error after scanning:
Warning: Invalid argument supplied for foreach() in /home/myuser/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php on line 115
Thoughts?
I always get the error message
“2 vulnerable Timthumb files found. Fix them here.”
The files are:
/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php
/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php
Fixing them produces the following further error:
File cg-tvs-filescanner.php at /wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php successfully upgraded.
File class-cg-tvs-filescanner.php at /wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php successfully upgraded.
A TimThumb error has occured
The following error(s) occured:
No image specified
Query String : page=cg-timthumb-scanner
TimThumb version : 2.8.9
WordPress version 3.3.1 on a Windows Server
It is odd to see vulnerability on the plugin itself? What should we do?
FYI, the “Warning: Invalid argument supplied” is only happening when the scanner can’t find any instances of TimThumb on the site.
Hi Jason,
Yeah I get that very same issue across all of my sites (approx 20 at the moment)
I’m not certain but I am thinking this is a common error (although the timthumb files other than those listed above) appear to get updated fine.
I do however once I hit that problem you mentioned find it does not then allow another scan without throwing up the same error again.
;o(
I’m getting this error when trying to SCAN:
Warning: Invalid argument supplied for foreach() in /home/leadersh/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php on line 115
Looks like a must-have plug-in, so appreciate your help!
I’ve just installed your fantastic plugin on one of my client sites and am getting the following error message when I try to run a scan:
Warning: Cannot modify header information – headers already sent by (output started at /home/redwood/public_html/wp-admin/includes/template.php:1657) in /home/redwood/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php on line 424
A TimThumb error has occured
The following error(s) occured:
Could not create the file cache directory.
Query String : page=cg-timthumb-scanner
TimThumb version : 2.8.5
Do you have any ideas as timthumb was working fine until I ran this scanner, and i have used it on lots of other sites.
I look forward to hearing from you soon. Shoot me an email and i’ll send you the URL of the website in question.
thanks,
Scott.
Hi. I ran the plugin and now I get
A TimThumb error has occured
The following error(s) occured:
No image specified
Query String :
TimThumb version : 2.8.5
I need to fix this asap – please help!
I wish to make the plugin stop yelling that in my blogs there are “2 vulnerable Timthumb files found.”
The two Timthumb scripts are safe and updated, so how to stop this annoyance.
The problem is that it may happen that anytime in the future it will show 3 instead of 2 and I will ignore the advice.
Hi Peter. I can confirm that the “Invalid argument” is resolved in 1.52 — many thanks for your continued support for this plug-in!!!
- Scott
Thank you for this plugin. I have installed it on 5 WP sites and no hassles as yet. I even found out about your locker service and have had client sign up for this service.
I just had a site hacked with this vulnerability and it took 2 days or more to work it all out but feel safer now.
September 3, 2011
Thanks a million for this. I can’t believe you offer it for free. It saved me so many headaches on my blogs!