Blog

Updated Themify Framework to fix the vulnerability

In an effort to resolve the vulnerability issue found in the older versions of Themify framework before 1.2.2, we've released a new update which will delete the legacy file 'themify-ajax.php' and any unknown files in the theme 'uploads' folder. This update (framework 1.6.3) is intended to save your time from removing the legacy file manually as posted here. Themify users are recommended to upgrade to this version. To upgrade your theme/framework, go to the Themify option panel page and you should see the upgrade notice. After the update, please verify if the file 'themify-ajax.php' still exists by checking the file list in WP Admin > Appearance > Editor. You may also use a FTP software to check the file in 'wp-content > themes > [themify_folder] > themify' folder.

NOTE: this vulnerability issue only affects the themes installed with Themify framework version before 1.2.2, released on November 9, 2012. Even if your theme is not affected, it's recommended that you update to this new version.

REMEMBER: if you have any inactive/old Themify theme sitting on the server, download the theme(s) to your computer for backup and delete it on your server. This fix will only apply to the active Themify theme.

11 Comments

  1. Anders
    Nov 15, 2013 @ 11:46

    “…delete the legacy file ‘themify-ajax.php’ and any unknown files in the theme ‘uploads’ folder”

    Will this update delete images I have put there before?

    Reply

  2. Anders
    Nov 15, 2013 @ 15:29

    One more thing…

    The Themify Banners & Links widget use some images in the theme uploads folder. It’s icons for YouTube, Facebook etc.

    Problem, no problem? How do I move theme if it’s a problem.

    Reply

  3. Elio
    Nov 15, 2013 @ 22:11

    Hi Anders, the images you’ve uploaded will be perfectly fine, they won’t be deleted.

    Reply

  4. Juanmi
    Nov 16, 2013 @ 09:45

    Hello, i dont see any update notice for the “Elemin” theme.

    Reply

  5. CPowers
    Nov 16, 2013 @ 19:56

    Help! There’s no upgrade notice on my dashboard. I’m using elemin 1.4.2 and framework 1.5.9. Should I reload elemin?

    Reply

  6. CPowers
    Nov 16, 2013 @ 20:23

    Thanks for the quick answer. So should I reinstall elemin? Will that upgrade the framework too? Sorry but I don’t know very much about this stuff. I watched the video about how to upgrade so I’m good to go on the how, I just don’t know what to install.

    Reply

  7. Chris Shevlin
    Nov 18, 2013 @ 12:29

    I got an email from my host this morning saying that they’ve removed permissions from index.php because it was using too much processor time – presumably because someone has exploited the vulnerability in themify-ajax.php. I tried to update the theme using WordPress, but the page just stopped responding whenever I clicked ‘update’. So I’ve backed up the theme to my hard drive, deleted it from the server using an FTP program, and uploaded the latest version from Themify.

    Will that sort out the problem, or do I need to do more? Presumably the hackers have uploaded something. How do I find out what? I’ve asked my hosting company but haven’t had a reply yet.

    I hope you can help me.

    Reply

  8. George
    Dec 08, 2013 @ 13:31

    What about the speed of this framework?

    Reply

    • Nick La
      Dec 10, 2013 @ 19:26

      This framework update does not affect the speed.

      Reply

Reply