Home Forums Weaver Xtreme Theme TimThumb-script in Weaver Xtreme v6.4

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #74751
    Meteorfan
    Participant

    I use on my website Security Ninja-scanner (V5.196 – https://de.wordpress.org/plugins/security-ninja/). After last update with new features, the warning is displayed that the TimThump-file/script found in Weaver Xtreme V6.4.

    The message is “We do not recommend using the TimThumb script for editing images. Apart from the security issues that some versions have had, WordPress has its own inbuilt functions for editing images that should be used instead. Contact the theme developer and ask them to update the theme. It’s unlikely that you’ll be able to fix this issue yourself.”

    I found on other sites that the developer has abandoned the script and is no longer patching or updating it and also ” we highly recommend staying away from using TimThumb and instead using the features native to WordPress.”

    I am a user and not a developer and now very confused. Is there any advice?

    WP 6.5.5/Weaver Xtreme 6.4/Weaver Xtreme Theme Support 6.5.1

    #74752
    User
    Moderator

    Thank you.

    @Weaver
    will need to comment.
    Regards!

    #74753
    Weaver
    Keymaster

    I’ve never heard of TimThumb. I checked all Weaver Xtreme files, theme support, and Plus, and there is no instance I can find of TimThumb. And there is no image resizing feature in any Weaver module.

    The Security Ninja-scanner may have found an instance in another plugin?

    Does it provide a more exact reference to the usage?

    #74754
    User
    Moderator

    @Meteorfan

    After checking with WP Archives, I found that Wordfence has reported false-positives on this issue in the past.

    Given what @Weaver wrote, and the fact that no one else has reported this issue in regards to this Theme, may I humbly suggest that there is nothing here for you to worry about.

    Regards!

    #74755
    scrambler
    Moderator

    Could the site have been hacked and stuff been installed in weaver directory by a third party?

    If you do not already have WordFence installed to protect your site, my be you should do so (the free version) and run a scan.

    #74756
    Meteorfan
    Participant

    @Weaver

    I’m attaching a screenshot of the message, that’s all I have. But it`s german, sorry.

    edit: This obviously does not work here with an image file from my hard disk.


    @scrambler

    I have not found any evidence of a hack of the site in my hoster’s log files. There are also no other unnatural anomalies. The small website has only a few hits. Other users cannot log in.
    I will think about installing WordFence and contact the Security Ninja forum.

     

    #74757
    Weaver
    Keymaster

    I’ve done another, completely thorough check of all Weaver Theme files, including  Weaver plugins, and I can assure you that Weaver Xtreme does not use, nor never has used TimThumb. There is no legitimate reason that Security Ninja should be generating such a message. It must have some sort of bug in the search patterns it is using to scan theme files. I find such a message misleading, approaching slanderous.

    #74758
    Meteorfan
    Participant

    Many thanks to everyone for their help. I am now reassured.


    @Weaver

    May I use this answer in the Ninja support forum?

    #74759
    Weaver
    Keymaster

    It is not necessary. They’ve had an update recently that I just checked, and the message is no longer there.

    I’ve also posted a new version of Weaver Xtreme (6.5.1) which updates the WordPress compatibility to 6.5, and removed the recommendation for the obsolete widget shortcode.

    #74760
    Meteorfan
    Participant

    Thank you. I have just installed the new Ninja version. Everything is fine here too.

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.