CVE-2014-4663
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
View on NVDSeverity
N/A
EPSS
Probability of exploitation (next 30 days): 0.1685 (16.8%)
Percentile: 95.0%
EPSS: 2026-05-06
Affects
binarymoon:timthumbbinarymoon:wordthumbTechnical description
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
Published: 7/15/2014, 2:55:10 PM
Last modified: 5/6/2026, 10:30:45 PM
References
- http://packetstormsecurity.com/files/127192/TimThumb-2.8.13-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2014/Jul/4
- http://seclists.org/fulldisclosure/2014/Jun/117
- http://seclists.org/oss-sec/2014/q2/689
- http://secunia.com/advisories/59558
- http://www.exploit-db.com/exploits/33851
- https://code.google.com/p/timthumb/issues/detail?id=485
- https://code.google.com/p/timthumb/source/detail?r=219