Does WPThumb have any unpatched vulnerabilities?

Yes — WPThumb currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WPThumb compatible with WordPress 3.7.41?

According to WordPress.org data, WPThumb 0.10 has been tested up to WordPress 3.7.41. Check the plugin's changelog for the latest compatibility information.

How often is WPThumb updated?

WPThumb was last updated on Apr 1, 2014. Frequent updates are generally a positive security signal.

What is WPThumb's security score?

WPThumb has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPThumb Security & Risk Analysis

wordpress.org/plugins/wp-thumb

An on-demand image generation replacement for WordPress' image resizing.

900 active installs v0.10 PHP + WP 3.5+ Updated Apr 1, 2014

cropimagephpthumbresizethumbnail

C · Use Caution

CVEs total1

Unpatched1

Last CVEJun 19, 2025

Plugin page Download

Safety Verdict

Is WPThumb Safe to Use in 2026?

Use With Caution

Score 63/100

WPThumb has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 19, 2025Updated 12yr ago

Risk Assessment

The wp-thumb v0.10 plugin exhibits a mixed security posture. While the static analysis shows no dangerous functions, all SQL queries using prepared statements, and a limited attack surface primarily through one shortcode, significant concerns arise from output escaping and the vulnerability history. The fact that 54% of outputs are not properly escaped presents a risk of Cross-Site Scripting (XSS) vulnerabilities, especially if user-supplied data is involved in these outputs. Furthermore, the presence of one unpatched medium severity CVE, specifically SSRF, dating from 2025, is a critical red flag. This indicates a known weakness that has not been addressed, leaving sites vulnerable to potentially serious attacks if an exploit becomes available. While the plugin has strengths in its handling of database queries and a small attack surface, the unaddressed CVE and poor output sanitization are significant weaknesses that elevate its risk profile.

Key Concerns

Unpatched medium CVE
High percentage of unescaped output
Missing capability checks
Missing nonce checks

Vulnerabilities

WPThumb Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-49983medium · 6.4Server-Side Request Forgery (SSRF)

WPThumb <= 0.10 - Authenticated (Contributor+) Server-Side Request Forgery

Jun 19, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WPThumb Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

46% escaped24 total outputs

Attack Surface

WPThumb Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[wpthumb] wpthumb.shortcodes.php:11

WordPress Hooks 14

filterwpthumb_image_postwpthumb.background-fill.php:141

filterattachment_fields_to_editwpthumb.crop-from-position.php:11

filterattachment_fields_to_savewpthumb.crop-from-position.php:12

actioninitwpthumb.crop-from-position.php:15

filterimage_downsizewpthumb.php:658

filterwp_delete_filewpthumb.php:677

actionadmin_noticeswpthumb.php:730

filterwp_image_editorswpthumb.php:741

filterwpthumb_post_image_argswpthumb.watermark.php:79

filterwpthumb_image_prewpthumb.watermark.php:101

filterwpthumb_image_postwpthumb.watermark.php:117

filterattachment_fields_to_editwpthumb.watermark.php:209

filterattachment_fields_to_savewpthumb.watermark.php:210

actioninitwpthumb.watermark.php:213

Maintenance & Trust

WPThumb Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41

Last updatedApr 1, 2014

PHP min version

Downloads37K

Community Trust

Rating100/100

Number of ratings3

Active installs900

Alternatives

WPThumb Alternatives

AutoThumb

autothumb

The plugin is actually just a port of a plugin/snippet I wrote for MODx a while ago (see here). It scans your content's source code for <img&g …

80 No CVEs

Crop and Resize Images

crop-and-resize-images

Crop and Resize Images Plugin allows you to easily modify WordPress uploaded images.

80 No CVEs

Manual Image Crop

manual-image-crop

100

Plugin allows you to manually crop all the image sizes registered in your WordPress theme (in particular featured image).

8K 1 CVE

Acme Fix Images – Regenerate Thumbnails

acme-fix-images

100

Fix image sizes after you have changed image sizes from Media Settings. Ensure your images display consistently across your website.

4K 1 CVE

WP SmartCrop

wp-smartcrop

WP SmartCrop will crop your images on-the-fly to match your CSS, keeping the main focal point in view.

4K No CVEs

Developer Profile

WPThumb Developer Profile

Joe Hoyle

4 plugins · 10K total installs

trust score

Avg Security Score

81/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WPThumb

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-thumb/wpthumb.watermark.php/wp-content/plugins/wp-thumb/wpthumb.background-fill.php/wp-content/plugins/wp-thumb/wpthumb.crop-from-position.php/wp-content/plugins/wp-thumb/wpthumb.shortcodes.php

HTML / DOM Fingerprints

Shortcode Output

[wpthumb]

FAQ