By default (and for good reason), WordPress limits the types of files which you may upload. You can show this yourself by going to the “Add Post” page, choosing to upload a file, and then uploading a PHP file. WordPress will warn you that due to security reasons, uploads of that file type are disallowed.
If, however, you desire to upload whatever you please, you can accomplish that with a simple one-liner to be added to Thesis’
Once added, any “super admins” (if multisite is enabled) or users who have the delete_users capability (on a single-site installation) will have the unrestricted ability to upload whatever they want.
Using that code, you have the power to upload files to your site which could theoretically allow malicious users to take full control of your website — any script which the server can process will be executed any time a user visits your uploaded file, so please upload with discretion! Also, unless you trust your entire admin team, do not use this code on a multi-author blog.