I have contacted some 20+ web-sites using one of the vulnerable themes hoping the customers would ask for updates. I cannot do that: the official support forum requires item purchase code.
Some corrective actions have been taken based on this forum discussion: http://www.kriesi.at/support/topic/xss - in fact, test results based on theme live preview indicates that all reported issues may have been fixed. Quote from the changelog of the Choices-theme on ThemeForest:
2012 30 09 – Version 1.6.0
Test results of three randomly selected sites are worrying:- improved security by filtering search parameters
|Choices theme - website XSS|
|Shoutbox theme - website XSS|
|Abundance theme - website XSS|
ThemeForest support has a clear policy: submitting fixes and informing customers must be done by the theme developer. Envato provides ThemeForest as a marketplace, or platform, for authors to sell their digital creations. It is the author who owns the product and therefore should be responsible for support and maintenance.
I don't know how the theme developers inform existing customers about security fixes. Perhaps the customers receive all updates automatically. Perhaps there is an e-mail notification or just one line in the changelog.
In this case the number of potentially affected sites is over 16,000. I have checked the developer site, support forum, blog, ThemeForest entries and I have not found any clear security update alert to the affected customers. If the theme developer does not actively inform customers about available fixes, it could be easy for hackers to locate the vulnerable sites.
Please help to distribute this information. I simply cannot locate and contact 16,000 sites.