I was researching it out prior to posting and I couldn’t find anything out there (via Google search and/or wp plugin support forum) that spoke to potential vulnerabilities – admittedly, that did little to bolster confidence about the plugin or the idea in general. The author attempted to vaguely address security in the FAQs with these two statements…
Who can upload files?
By default only administrators can upload files. However you can define which user roles are allowed to upload files, beyond administrators. Even guests can be allowed to upload files, however use this option with care.
What security is used for uploading files?
The plugin is designed not to expose website information by using sessions. Parameters passing from server to client side are encoded. For higher protection, like use of captcha, please consider the Professional version of the plugin.
To me, this leaves more questions than answers. And, actually combing the plugin’s code/script far exceeds my reach.