SPAM-0wned: Misty Look and Paalan

DELETE THE CURRENT VERSION OF MistyLook and Paalan ASAP!

Sorry for the caps. However, these themes can be abused for spam slinging. The contact.php file in both themes
a) runs without checking that it was called from WordPress, so if it is called directly through its URL, it will run without complaint;
b) allows a visitor to determine both recipient and message body,
c) does have an anti-spam challenge, however it’s totally ineffective: it’s always the same question and always the same answer.

(a) in itself is a minor problem, though You Should Prevent This To Short-Circuit Lots of Attack Vectors.
(b) is always dangerous. It allows spammers to obfuscate their identity (it’s your site that’s listed as spam source, not the visitor who sent the mail), and can serve as a bandwidth multiplier (the spammer sends the message once, your server sends it as often as the spammer entered a mail address – you can provide multiple, comma-separated mail addresses and the mail system will faithfully send a copy to each recipient).
(c) is the most horribly half-*ssed method of spam prevention that I have ever seen.