MistyLook contact form seems to allow spam

When hunting for a spamslinging script, I found that the contact form in the MistyLook theme is prone to spamming: visitors can set recipient address and textual content (which means that the spammer can use the contact form as a bandwidth multiplicator, by specifying multiple recipient addresses, and to hide the spam origin).

Now while that’s a bug, the real question is whether I already found the culprit. The theme isn’t active – is there any way that a visitor can run the script in the themes folder anyway?