Osirt, a malware security company is reporting that the WordPress theme OptimizePress contains a significant security vulnerability. According to the security bulletin published a few days ago, the problem lies within the Media-upload.php file. When a browser loads this file within the theme, the media upload screen appears. From here, malicious users can upload php files and execute them on the server.
So far, OptimizePress has not made any public statements regarding the security bulletin. Their Twitter account has been inactive since March of 2013. Judging by the comments on the Osirt article, it looks like this vulnerability may be limited to version 1 of the theme.
An initial look on my OP2 install doesn’t show this file: wp-content/themes/OptimizePress/lib/admin/media-upload.php exists at this location. The OptimizePress directory is called OptimizePressTheme in OP2 and even if you follow that tree, there isn’t a media-upload.php. – CourageDragon
If you are using version 1 of OptimizePress, you’re encouraged to set your desired “Coming Soon” image and then rename or delete wp-content/themes/OptimizePress/lib/admin/media-upload.php. It’s also worth noting that even if OptimizePress version one is not activated, the media-upload file can still be accessed.
*Update*
Thanks to Len in the comments, he shared this support link via the help area of OptimizePress that specifically notes the security vulnerability in version 1 of their theme. Those who are using OptimizePress 2.0 or later are not at risk.
Has this been fixed?