Thought I'd update you on this.
First of all, I apologize for this lack of security checks, and I'm glad it was discovered before someone was hit by it.
I'm putting a patch together right now, and I'll send the mod back so that my fellow Customizers can look at it again.
Once it's out, it should be perfectly safe to use this mod again. I apologize for the inconvenience.
I actually never knew that it was possible to hack the script this way, uploading dangerous files to the server without using the ACP form, which proves yet again that you learn something new every day.
Edit: New package uploaded and awaiting review.