As this page cannot be viewed by the admin or other users, this only allows quite unlikely attack scenarios, so the impact should be considered very low.
2010-04-30: Vendor contacted
2010-04-30: Vendor replied
2010-05-01: Vendor released 1.7.1 with fix
2010-05-07: Published advisory
This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting.