In a nutshell, timthumb.php is used to resize images in many wordpress themes and it doesn't check images from remote sources to make sure they really are images and not a malicious script.
To fix you need to change $allowed sites to be an empty array.
e.g. $ALLOWED_SITES = array();
An example of what you may initially find:
$ALLOWED_SITES = array (
'flickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com',
'imgur.com',
'imageshack.us',
'tinypic.com'
);
If you have been affected then you need to clear out the infection on your server:
Search your wordpress directory for the base64_decode function and make sure you don't have any odd looking long encoded strings anywhere.
wordpress zero day