Recently a vulnerability was discovered within the script that allows hackers to upload and execute arbitrary PHP code within your TimThumb cache directory. It can potentially hijack your website and bring down your WordPress site.
This vulnerability exists in ClassiPress versions 2.9.3 or higher (the majority of our customers) so it’s highly recommended to upgrade immediately. The author has provided a fix and we quickly rolled out a patch to address this. The latest version of ClassiPress (v3.1.4 or higher) is no longer vulnerable.
Who does this affect?
Any customer using ClassiPress version 3.0 or higher. We introduced TimThumb in ClassiPress 3.0 to replace a different image resizing script. It is basically there to support legacy ads (2.9.3 or earlier) so the majority of you don’t even need it.
How can we fix it?
The easiest way is to just upgrade to 3.1.4. If you don’t want to upgrade and you purchased 3.0 or higher, then at the very least, delete /classipress/includes/timthumb.php and empty the /classipress/includes/cache/ folder (delete all files in there). If you don’t see a cache folder you can skip that step.
Customers who purchased 2.9.3 or earlier
You likely have legacy ads which require TimThumb to work correctly. Upgrading to 3.1.4 is ideal but if you don’t want to upgrade, then at the very least, upgrade your /classipress/includes/timthumb.php to the latest version and empty the /classipress/includes/cache/ folder (delete all files in there). If you don’t see a cache folder you can skip that step.
- Login to your WordPress back-end
- Go to appearance => editor and find “timthumb.php”
- Replace the entire code with the updated TimThumb
How can I get the fix?
It can be downloaded from your customer dashboard. You can either apply the patch or install the full theme again. The release notes go into detail as to what is included in the update.
What else was done?
In addition to fixing the TimThumb security vulnerability, we have done an overall security sweep and tightened things up. This update makes ClassiPress the most secure release we’ve done to-date.
Important
Delete any old versions of ClassiPress you may have sitting on your web server. They are susceptible to being exploited even though they may not be your active theme. You should only have the latest version on your site.
- Login to your WordPress back-end
- Go to appearance => themes
- Delete any old versions of ClassiPress. Make sure not to delete your active version.
We’re sorry for the inconvenience but please make sure to upgrade ASAP to avoid your site from being hacked.