Themify, one of the popular premium WordPress themes providers and who also happens to be one of the sponsors of our $10,500 ThanksGiving Giveaway, issued an alert to all Themify framework users last Wednesday. It talks about recently received and confirmed reports of an existing vulnerability in their Themify framework and includes the necessary steps to take in order to make sure that users are protected from the vulnerability.
Themify framework version 1.2.2 fixed and removed the unsecure file called “themify-ajax.php” so only those running on framework versions prior to version 1.2.2 are affected by the vulnerability. However, if the upgrade was done via the auto-upgrader, then the unsecure file would still be in the server. Leaving the “themify-ajax.php” file on the server will allow intruders to upload any type of files to that server.
To fix this issue, Themify has released an updated framework version 1.6.3 which will delete the legacy file “themify.ajax.php” and other unknown files in the theme “uploads” folder. This update will delete the files automatically so users don’t have to spend time looking and deleting those unknown files. All Themify users are advised to upgrade to this latest version ASAP!
To upgrade your Themify theme or framework, head over to your Themify option page and look for the upgrade notice. Once the update is done, you can double check and make sure whether the “themify-ajax.php” file still exists or not by following these steps:
Don’t delay and do it immediately to prevent intruders and other malicious individuals from exploiting your blog or website. Better safe than sorry. It’s better to spend time fixing this issue now than having to deal with the stress and tedious cleanup process when it gets compromised.
Kudos to the folks at Themify for addressing this issue quickly and releasing the required fixes/solutions for the vulnerability.