• Triggers errors
• Uses create_function(), but the variable is passed through absint() first
• TimThumb 2.8.10 is included in this plugin
  • The __destruct() method of the timthumb class deletes files, which could be used as part of a PHP serialized object injection, however the file appears not to be included by the plugin and it doesn’t appear to use unserialize() itself
  • It being meant to be executed directly could be a compatibility issue for hardened environments
  • It appears to use the directory timthumb/cache within the plugin instead of a directory in wp-content/uploads, which could also cause compatibility issues
  • Uses “ (equivalent to exec()), only if one of three options is set, but the use of “ seems dodgy (which requires adding a file at timthumb/timthumb-config.php – the options are not set by default)

No issues were found, but I think more time should be devoted to investigating TimThumb if you are considering using this plugin.

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

This plugin seems safe, but uses TimThumb, which has a poor history and does not look so safe.