Title: [Plugin: Shortcodes Ultimate] SECURITY FLAW (TimThumb exploit) Last modified: August 20, 2016 --- # [Plugin: Shortcodes Ultimate] SECURITY FLAW (TimThumb exploit) * Resolved [pbosakov](https://wordpress.org/support/users/pbosakov/) * (@pbosakov) * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/) * This plugin ships with an outdated version of the timthumb.php script, which has a serious security vulnerability. Please update timthumb.php to the newest available version. * File to replace: lib/timthumb.php New version available here: [http://timthumb.googlecode.com/svn/trunk/timthumb.php](http://timthumb.googlecode.com/svn/trunk/timthumb.php) * [http://wordpress.org/extend/plugins/shortcodes-ultimate/](http://wordpress.org/extend/plugins/shortcodes-ultimate/) Viewing 9 replies - 1 through 9 (of 9 total) * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2543702) * Did you email the author to let them know or just post here? * Thread Starter [pbosakov](https://wordpress.org/support/users/pbosakov/) * (@pbosakov) * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2543715) * The author seems to be actively monitoring this forum, so I’m sure he’ll see it. I wasn’t able to find any other contact info. * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2543725) * I have also emailed them so it should be addressed soon. * Plugin Author [Vova](https://wordpress.org/support/users/gn_themes/) * (@gn_themes) * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2543735) * Hi all. * No need to use my email for these reasons, it’s only for translators. * Script timthumb, included in the plugin, was updated in 3.2.1 and now safe. * [http://wordpress.org/support/topic/plugin-shortcodes-ultimate-this-plugin-is-on-the-list-of-hacks-1?replies=5](http://wordpress.org/support/topic/plugin-shortcodes-ultimate-this-plugin-is-on-the-list-of-hacks-1?replies=5) * Thread Starter [pbosakov](https://wordpress.org/support/users/pbosakov/) * (@pbosakov) * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2543741) * The current version uses TimThumb 2.8 which is better than the older versions, but still not 100% safe. I’d recommend to upgrade to the newest one 🙂 * [http://code.google.com/p/timthumb/issues/detail?id=273](http://code.google.com/p/timthumb/issues/detail?id=273) * Plugin Author [Vova](https://wordpress.org/support/users/gn_themes/) * (@gn_themes) * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2543964) * Ok, thanks for report. I’ll put it to the TODO list. * [lindebjerg](https://wordpress.org/support/users/lindebjerg/) * (@lindebjerg) * [14 years, 3 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2544003) * Why must I read this before posting, It have costed me a LOT of trouble, I want people to be safe using Plugins, NOT LIKE THIS! If its still OUTDATED it is STILL NOT SAFE! My site is now BLACKLISTET because of this Plugin. Everyone must have the right to know about the risk using a UDDATED PLUGIN! * Plugin Author [Vova](https://wordpress.org/support/users/gn_themes/) * (@gn_themes) * [14 years, 3 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2544022) * You can just not use this plugin and have no problems. * PS – I do it absolutely free, and will be grateful for the friendly chat * [wowmediakft](https://wordpress.org/support/users/wowmediakft/) * (@wowmediakft) * [14 years, 3 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2544023) * Hi! * [@gn_themes](https://wordpress.org/support/users/gn_themes/): first of all, thank you for the great plugin. I truly believe this is a nice tool for WP and I am grateful to you for dedicating your time to developing this for the community. Having said that, I had emailed you long time ago about the timthumb vulnerability( which I unfortunately found out about the hard way as one of the sites I managed got hacked) and never received a reply. * It should not be so hard to keep updated with this issue, which is now known since months as a known security flaw. * Currently, you’re using v2.8.5, which should be safe (v prior to 2.8.2 are considered not safe), but the latest version is 2.8.9 and it seems to run without issues with Shortcodes Ultimate. * At any rate, a free plugin is available that scans for timthumb library (there could be multiple copies in case there is more than 1 plugin using it) and can also automatically upgrade it to the latest version. You can search on the repository for “Timthumb scanner”. * Hope this helps. Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘[Plugin: Shortcodes Ultimate] SECURITY FLAW (TimThumb exploit)’ is closed to new replies. * ![](https://ps.w.org/shortcodes-ultimate/assets/icon-256x256.gif?rev=2547563) * [Shortcodes Ultimate - Content Elements](https://wordpress.org/plugins/shortcodes-ultimate/) * [Frequently Asked Questions](https://wordpress.org/plugins/shortcodes-ultimate/#faq) * [Support Threads](https://wordpress.org/support/plugin/shortcodes-ultimate/) * [Active Topics](https://wordpress.org/support/plugin/shortcodes-ultimate/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/shortcodes-ultimate/unresolved/) * [Reviews](https://wordpress.org/support/plugin/shortcodes-ultimate/reviews/) * 9 replies * 5 participants * Last reply from: [wowmediakft](https://wordpress.org/support/users/wowmediakft/) * Last activity: [14 years, 3 months ago](https://wordpress.org/support/topic/plugin-shortcodes-ultimate-security-flaw-timthumb-exploit/#post-2544023) * Status: resolved