A zero-day vulnerability in the popular TimThumb plugin for WordPress leaves many websites vulnerable to exploits that allow unauthorized attackers to execute malicious code, security researchers have warned.

The vulnerability, which was disclosed Tuesday on the Full Disclosure mailing list, affects WordPress sites that have TimThumb installed with the webshot option enabled. Fortunately, it is disabled by default, and sites that are hosted on WordPress.com are also not susceptible. Still, at press time, there was no patch for the remote-code execution hole. People who are unsure if their WordPress-enabled site is vulnerable should open the timthumb file inside their theme or plugin directory, search for the text string "WEBSHOT_ENABLED," and ensure that it's set to false.

When "WEBSHOT_ENABLED" is set to true, attackers can create or delete files and execute a variety of other commands, Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Thursday. He said uploading a file to a vulnerable site was possible using URLs such as the following, where a.txt was the file being created:

http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://vulnerablesite.com/$(touch$IFS/tmp/a.txt)

Another mitigating condition is that some firewalls will prevent attacks from working against otherwise vulnerable sites. Still, given the potential harm, operators of WordPress sites should double-check their settings to ensure webshot is disabled.