The image utility is not part of the WordPress core files, but is used in hundreds of WordPress themes. The script consists of a single file called timthumb.php and provides on-the-fly image cropping, zooming and resizing. Timthumb relies a white list of domain names from which images can be remotely fetched, which include popular image hosting web sites like Flickr, Picasa, Blogger, WordPress and many more.

There is a flaw in the validation process which allows files to be loaded from domains like ‘wordpress.com.evilhacker.cn’ because wordpress.com is in the domain name.

The script stores these images in a cache directory which is web accessible to make the script work on most servers without needing to be modified.

The timthumb developers are already working on a fix.

The problem I see here is that many of the people who are at risk (the ones that use WordPress because it’s ‘easy’) don’t even know they are vulnerable let alone how to replace the file.