It appears that the latest version of Verve Meta Boxes includes an outdated version of timthumb.php in /tools directory. There is a known security risk with this version of timthumb.php. Hackers can exploit this file to upload malicious scripts to your site.
Simply having the plugin on your site even if not activated still means you are at risk because the file is still publicly accessible.
In my testing, I was able to simply replace the entire contents of timthumb.php with the latest version of the script which is much more secure. The latest source code for timthumb can be found here: http://timthumb.googlecode.com/svn/trunk/timthumb.php.
Doing so did not affect the ability of Verve Meta Boxes to perform as normal, in my case, however as always change this at your own risk. From what I can tell (and I'm no expert) it appears that Verve Meta Boxes simply uses timthumb to display an image you upload on the edit screen.
I'm in no way affiliated with this plugin, I've just used it on many websites I've created and want to save people the trouble of dealing with a hacked website. I already had to remove malicious code from one of my sites.
More information about the vulnerability in timthumb can be found here: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
If you don't feel comfortable editing the timthumb.php file, I recommend removing the plugin from your site until the developers properly address this.