[teyc]

I wonder if it would be better if he disclosed this to the theme vendors.

[code_duck]

Exactly what I thought upon reading "The current version of timthumb has this issue. Since it’s already in the wild and I just got hacked by it, I figure it’s ok to release the vulnerability to the general public."

[dangrossman]

There's no other way to inform most people about the problem. There's several thousand free WordPress themes in the wild, and obtaining them does not involve getting on the developers' mailing lists or otherwise being contact-able. Even if it was possible to notify every theme developer that may be including timthumb in their theme, those developers would have no way to notify the end users.

[dangrossman]

That's not really possible. There are well over 1,000 different theme authors in the WordPress theme directory alone.

[teyc]

The commercial theme vendors probably have a mailing list. I hope they'd contact their clients straight away.

This is turning out to be a rather big hole.