ThemePunch addressed this months ago. This news is so old news. Sucuri, Dreamhost and others are making hay of this now solely for profit purposes.
For any Striking MultiFlex users, all theme versions 1.0.2 and subsequent (and all the preceeding 1.0.2 betas which were released only as internal builds to users who were interested) in Feb/March 2014 of this year incorporated the updated version of the Rev Slider plugin with the vulnerability removed.
We are now at Version 1.1 of Striking MultiFlex.
Themepunch addressed this matter immediately upon knowledge of it. Its right in their log. If you did not understand it then you should have asked them. They have a very active support team and are extremely easy to reach - we can vouch for that as we speak with them all the time.
Themeforest is supposed to be a marketplace for professionals - so it stands to reason that if you are not keeping on top of scripts, theme updates (irrespective of theme) and plugin updates, as a professional you don’t have anyone to blame anyone but yourself. If you are in the DIY category of user, and have a theme with a concern or an author who has not updated, then advise Themeforest - don’t take it out on the marketplace because you did not understand your purchase terms, or the high quality developers.
Themes are under no obligation to update. The Themeforest sales model is one buys a piece of software at an inexpensive price, and upon successful downloading the contract is fulfilled. Simple, End of Story! Its right in the marketplace licensing terms. It makes sense to choose an author (like us!) who has a long term track record of maintaining a theme, but that is your choice.
AS well, were one following wp best practices such as moving the wp config file outside the root, or moving the wp admin, or even employing a simple tweak or two in the .htaccess file for limiting access, the issue of the vulnerability that was in the Rev Slider is moot.
Yes, the plugin had a vulnerability, but so have many widely used theme scripts in the past. Remember Timthumb? The last wp core update 3.9.2 was entirely about removing potential hacks. Same with many of the php updates.
What we think is more relevant is that one has been shown a significant weakness inthe product offerings of both Sucuri, and Dreamhost. We never recommend either to any of our customers but this is yet more proof that there is less then meets the eye there in respect of their products. They are attempting to hop on the train but it left the station months ago…
============
As for not allowing wp plugins to be placed into a theme which has been noted in a comment or two of this thread, sorry, that is so much hogwash. For a theme developer plugins are just another form of script that potentially can be deployed in a theme. If you are concerned about a theme that has built-in plugins, its simple, don’t purchase. But sorry, we are not going to restrict our themebuilding decisions on the basis of such elementary concerns.
Every theme is in fact just a collection of scripts in one form or another, and if the integration of such concerns you, then really there is nothing at all you can use.
We have to bite our tongues every time we see this type of issue about plugins included in a theme raised at Themeforest. How premium plugins are advertized when included in a theme is a relevant discussion. Pricing for extended plugin licenses is a relevant discussion. But really, the issue of inclusion of plugins, whether one has offloaded one’s own code for a function into a built-in plugin, included a codex plugin such as breadcrumbs plus, or a premium plugin, just shouts, well that part is best left unsaid…
The goal at themeforest should not be to dumb down every theme to the level of that found in the codex, at wordpress.com or some of the competing theme sites such as template monster. That is the goal of the competition hammering away at Themeforest due to the current issue. Don’t fall for it.
Best Regards
Striking Team
James