Themify Announces Security Vulnerability With Fix

Themify LogoThemify has announced that they have discovered and confirmed a vulnerability in their framework. The vulnerability stems from an unsecure file named themify-ajax.php. The fix was released on November 9th, 2012 but the auto upgrade process failed to delete the file. Themify states they have “recently received several reports of intruders using themify-ajax.php to upload files to users servers“.

The vulnerability is limited to users who installed the Themify framework version 1.2.1 and below. Users are encouraged to check their webhosting accounts to see if their theme contains the vulnerable file. If you don’t find it, chances are your safe. If the file is present, you need to download the latest version of the Themify framework from the members area and replace the entire theme folder with it. If you think you’ve been compromised due to this vulnerability, you should contact Themify as soon as possible.

2 Comments


  1. Props on them for alerting people.

    What catches my attention is they said the file did not get deleted on upgrade. That’s not normal for WP (which deletes the theme or plugin folder entirely and replaces it on upgrade). I wonder why this is not happening for that theme.

    Report


  2. I’m guessing they must have bypassed the built in WordPress update mechanism for that to occur. The WordPress update system obliterates everything in the folder during the upgrade as a (sensible) security measure to stop stuff like this from happening.

    Props for going public with it though. I see far too many people either trying to cover stuff like this up, or even worse, just ignoring it and declaring it’s not their problem :/

    Report

Comments are closed.