Blog

URGENT: Vulnerability Found in Themify Framework, Please Read

Hello Themify users,

We have recently received and confirmed reports of a vulnerability that exists within the Themify framework, and we would like to shed some light on the situation and ensure that you take the proper steps to protect yourself from this vulnerability.

The Low Down

In older versions of Themify framework, we used to include an unsecure file called 'themify-ajax.php', that was fixed and removed in framework version 1.2.2, released on November 9, 2012. However, users that upgraded through the auto-upgrader did not have this file removed from their server, and we have recently received several reports of intruders using ‘themify-ajax.php’ to upload files to users servers.

Am I Affected?

This vulnerability only affects users that installed a Themify theme with framework version before 1.2.2, released on November 9, 2012 (you can find the changelogs here).

To be absolutely sure, check for the file 'themify-ajax.php' on your server by following these steps:

  • connect to your FTP server
  • from the root WordPress folder, go to 'wp-content' folder
  • go to 'themes' folder
  • go to [themify_theme_folder]
  • go to 'themify' folder
  • and check for the 'themify-ajax.php' file (note that the 'themify-wpajax.php' is the fixed version in 1.2.2)

If you can’t find it, you’re safe.

However, if you see it, you will have to download the latest theme from the member dashboard and replace entire theme folder. Here is a tutorial on how to use FTP to replace the theme folder. You must absolutely do this in order to prevent this vulnerability from being exploited on your website.

What next?

Once you have replaced your theme folder entirely, you are safe. If you are unsure and need help, please contact us immediately and we will respond as soon as possible.

We know that this vulnerability is an inconvenience and an issue that should never have happened in the first place, and we’re very sorry that it did. We hope that you can trust us to make issues like this known as soon as possible, and to have a solution in place for all of our users.

As we mentioned, please do not hesitate to contact us with any concerns or support requests. We will do our best to respond as soon as possible during this very important time.

Thank you so much for using Themify.

Update (Nov 13, 2013):

Please read this post for more detail on how to remove the legacy file 'themify-ajax.php'.

Updated Fix (Nov 14, 2013):

We've released a new framework update to fix this issue. Please read this post and upgrade your theme.

12 Comments

  1. KChristoph
    Nov 13, 2013 @ 06:30

    Thanks !
    I’ve spread your words !
    http://t3n.de/aggregator/dringend-vulnerability-found-in-themify-framework-please-read
    KChristoph from Hannover, Germany

    Reply

  2. Jeroen
    Nov 13, 2013 @ 09:35

    So to completely sure:

    ‘themify-ajax.php’ = bad
    ‘themify-wpajax.php’ = good

    Right?

    Reply

    • Nick La
      Nov 13, 2013 @ 16:38

      Technically, correct. If you don’t see the ‘themify-ajax.php’ file, no actions required.

      Reply

  3. Matthew Oliveira
    Nov 13, 2013 @ 19:55

    Is there an easy way to neutralize the threat without updating the theme?

    In our case we use a themify theme (Pinboard) as a parent theme and the child theme is heavily reliant on the parent, such that updating the themify theme breaks a lot of stuff.

    Reply

    • Rudd
      Nov 13, 2013 @ 23:15

      Wrong concept. If you understand what’s the difference between a parent theme and a child theme, you won’t afraid to update. Any customization need to be made to the child theme. Therefore, in case that the parent theme need to be updated, the customization made on the child theme will not not lose.

      Reply

    • Matt Hawes
      Nov 16, 2013 @ 20:44

      There have been a few times when themify upgrades actually changed the HTML being output by the parent theme, such that my child theme customizations only half worked after the update… Or a page template file that I customized became outdated. It would be helpful to know if there is a way to upgrade the framework only. This is kind of standard faire when working with themes – not really a surprise.

      Reply

  4. Ed
    Nov 13, 2013 @ 20:21

    If you’re using the Responz theme, can you replace everything BUT the /uploads dir? Wiping out the entire folder and replacing it with an updated directory would wipe out any customizations would it not?

    I’m referencing these instructions:

    “However, if you see it, you will have to download the latest theme from the member dashboard and replace entire theme folder. You must absolutely do this in order to prevent this vulnerability from being exploited on your website.”

    Reply

  5. Nick La
    Nov 13, 2013 @ 22:45

    Hi everyone,

    Please refer to this post: https://themify.me/blog/how-to-deal-with-vulnerability-in-old-themify-framework-versions for more details on how to remove the legacy file.

    Reply

  6. Emily
    Nov 15, 2013 @ 01:43

    Thank you, Themify, for being on top of this and keeping your customers informed! Much appreciated and good work!

    Reply

    • Nick La
      Nov 15, 2013 @ 22:10

      Thank you for being so supportive!

      Reply

  7. Matt Hawes
    Nov 16, 2013 @ 20:39

    Appreciate the way this situation was handled. I was able to mitigate the risk/problem very easily thanks to this info.

    Reply

  8. Julie Weber
    Dec 21, 2018 @ 23:07

    Thank you and have a good time and XMAS. :-)

    Reply

Leave a Reply to KChristoph Cancel