Themify has announced that they have discovered and confirmed a vulnerability in their framework. The vulnerability stems from an unsecure file named themify-ajax.php. The fix was released on November 9th, 2012 but the auto upgrade process failed to delete the file. Themify states they have “recently received several reports of intruders using themify-ajax.php to upload files to users servers“.
The vulnerability is limited to users who installed the Themify framework version 1.2.1 and below. Users are encouraged to check their webhosting accounts to see if their theme contains the vulnerable file. If you don’t find it, chances are your safe. If the file is present, you need to download the latest version of the Themify framework from the members area and replace the entire theme folder with it. If you think you’ve been compromised due to this vulnerability, you should contact Themify as soon as possible.
Props on them for alerting people.
What catches my attention is they said the file did not get deleted on upgrade. That’s not normal for WP (which deletes the theme or plugin folder entirely and replaces it on upgrade). I wonder why this is not happening for that theme.