WordPress Flaws and Vulnerabilities

BJ Lazy Load and TimThumb


BJ Lazy Load is a plugin to differ the image loads, available for free on the official WordPress repository and he’s using TimThumb.

On 1st september 2015, we did some research about Laly loading plugins and we finally discovered that this plugin, BJ Lazy Load v 0.7.5, was using an outdated version of TimThumb, this famous script which is still responsible of hacks since 2011.

If you don’t remember it, some years ago, TT contained a very big vulnerability allowing any visitor to upload any kind of file in your website. This lead to many many hacked websites, it was disastrous, really.

What do we do in this case ?

This plugin have been reported to the plugin validation team on w.org and they told us that even updated, this script is not allowed on the repository, no plugin or theme are allowed to use it.

It’s a good idea because even updated it can still contains some flaws, there was so many earlier that i can’t trust it anymore, so they’re protecting users from it, which is good.

The plugin came back some hours after its deletion from version 0.7.5 to 1.0, without TimThumb. Stay updated!

We recommand you to usage of Rocket Lazy Load.