Unrated severityNVD Advisory· Published Oct 26, 2013· Updated Apr 29, 2026

CVE-2011-4106

Description

TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.

Affected products

Binarymoon/Timthumb
cpe:2.3:a:binarymoon:timthumb:*:*:*:*:*:*:*:*
Range: <=1.99

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/nvdPatch
code.google.com/p/timthumb/issues/detailnvdExploitPatch
www.exploit-db.com/exploits/17602nvdExploit
www.exploit-db.com/exploits/17872nvdExploit
markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/nvd
www.binarymoon.co.uk/2011/08/timthumb-2/nvd
www.openwall.com/lists/oss-security/2011/11/03/4nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.021
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000