13 Nov 2013
Hello Themify users,
We have recently received and confirmed reports of a vulnerability that exists within the Themify framework, and we would like to shed some light on the situation and ensure that you take the proper steps to protect yourself from this vulnerability.
The Low Down
In older versions of Themify framework, we used to include an unsecure file called 'themify-ajax.php', that was fixed and removed in framework version 1.2.2, released on November 9, 2012. However, users that upgraded through the auto-upgrader did not have this file removed from their server, and we have recently received several reports of intruders using ‘themify-ajax.php’ to upload files to users servers.
Am I Affected?
This vulnerability only affects users that installed a Themify theme with framework version before 1.2.2, released on November 9, 2012 (you can find the changelogs here).
To be absolutely sure, check for the file 'themify-ajax.php' on your server by following these steps:
- connect to your FTP server
- from the root WordPress folder, go to 'wp-content' folder
- go to 'themes' folder
- go to [themify_theme_folder]
- go to 'themify' folder
- and check for the 'themify-ajax.php' file (note that the 'themify-wpajax.php' is the fixed version in 1.2.2)
If you can’t find it, you’re safe.
However, if you see it, you will have to download the latest theme from the member dashboard and replace entire theme folder. Here is a tutorial on how to use FTP to replace the theme folder. You must absolutely do this in order to prevent this vulnerability from being exploited on your website.
Once you have replaced your theme folder entirely, you are safe. If you are unsure and need help, please contact us immediately and we will respond as soon as possible.
We know that this vulnerability is an inconvenience and an issue that should never have happened in the first place, and we’re very sorry that it did. We hope that you can trust us to make issues like this known as soon as possible, and to have a solution in place for all of our users.
As we mentioned, please do not hesitate to contact us with any concerns or support requests. We will do our best to respond as soon as possible during this very important time.
Thank you so much for using Themify.
Update (Nov 13, 2013):
Please read this post for more detail on how to remove the legacy file 'themify-ajax.php'.
Updated Fix (Nov 14, 2013):
We've released a new framework update to fix this issue. Please read this post and upgrade your theme.