An arbitrary script may be executed on the user's web browser.
On August 12 2014, Cakifo 1.6.2 which contains a fix for this vulnerability has been released.
By default, only users with the
upload_files capability are able to upload images. If you allow untrusted users to upload images, you should either disallow that or update the theme to the latest version.