|
|
|
|
|
|
by patio11
5434 days ago
|
|
|
Wordpress gets no opportunity to execute a single line of code at any point in this process. TimThumb can be executed without needing to go through Wordpress at any point. The only relevance of Wordpress to this is that many Wordpress themes happen to ship with TimThumb. If you have a Wordpress theme installed on your server (note: activation not required!) which ships with it, you are vulnerable. Wordpress could theoretically intercept calls to PHP files below its own root, but that would be a breaking change for a LOT of code and sites. |
|
|