Mark Maunder reports:

An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory.

Full story here.  If you run WordPress, take his advice and check for the file within your theme directories.  We’re adding it to the list of possible attack vectors we look for during our incident response.

UPDATE:  The file has been patched on its Google Code page.  Get the updated version for your site (or if your theme creator is on top of things, make sure you update your theme immediately).