Unrated severityNVD Advisory· Published Jul 15, 2014· Updated May 6, 2026

CVE-2014-4663

Description

TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.

Affected products

Binarymoon/Timthumb
cpe:2.3:a:binarymoon:timthumb:2.8.13:*:*:*:*:*:*:*
Binarymoon/Wordthumb
cpe:2.3:a:binarymoon:wordthumb:1.07:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/33851nvdExploit
packetstormsecurity.com/files/127192/TimThumb-2.8.13-Remote-Code-Execution.htmlnvd
seclists.org/fulldisclosure/2014/Jul/4nvd
seclists.org/fulldisclosure/2014/Jun/117nvd
seclists.org/oss-sec/2014/q2/689nvd
secunia.com/advisories/59558nvd
code.google.com/p/timthumb/issues/detailnvd
code.google.com/p/timthumb/source/detailnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.013
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000