Reported by Sucuri, the HD FLV Player suffers of an Arbitrary File Download vulnerability which is of course considered critical.
The vulnerable code can be found in
<?php $filename = $_GET['f']; header('Content-disposition: attachment; filename='.basename($filename)); readfile($filename); ?>
Since there is absolutly no check nor filter applied before using the
f parameter passed in the url, this is the perfect backdoor to get almost any file you want on the machine
(depending of the right of the user the server is running). No matter the plugin is enable or not, you simply need to run the install to be exposed.