A critical 0-day vulnerability has been discovered in a popular wordpress utility/tool called “WebShot” featured with the popular  TimThumb plugin for WordPress.  WebShot feature of the plugin which is also very popular among wordpress users has been  found vulnerable to remote code execution.

Remote Code Execution (0-day) Vulnerability in TimThumb's WebShot feature leaves wordpress users at risk.

TimThumb is a very simple and flexible PHP script used to resize images. The WebShot is a hidden feature on TimThumb that allows it to take screenshot of websites, instead of resizing images.

The vulnerability which is discovered by Pichaya Morimoto in the TimThumb WordPress plugin version 2.8.13.  According to Morimoto, the vulnerability resides in its “Webshot” feature that, when enabled, allows attackers to remotely execute commands on a website without requiring authentication. which means the attacker can upload or inject malware, upload or execute php code/shells or can take the website down.

Security Researcher Daniel Cid explained in a blog post that how the Vulnerability can be exploited,

With a simple command, an attacker can create, remove and modify any files on the server. Daniel explained with an example:

https://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=https://vulnerablesite.com/$(rm$IFS/tmp/a.txt)
https://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=https://vulnerablesite.com/$(touch$IFS/tmp/a.txt)
In the first example, researchers at Sucuri were able to remove a file (rm command) and on the second example, create one (using the touch command). And the remote attacks are not limited to the above two commands as many others can be executed remotely (RCE).

Timthumb comes with the webshot option disabled by default, so only those wordpress users who have enabled WebShot feature are vulnerable to this attack.

If you are using the plugin on your website, you should disable the option to prevent the misuse.
Open your TimThumb file inside the theme or plugin and search for “WEBSHOT_ENABLED” and set it to false.

i.e. define (‘WEBSHOT_ENABLED’, false)

More details about the vulnerability can be seen at Cxsecurity