I contacted 3APA3A, who contacted the original researcher, and an exploit is now in the developer's hands. I did some cursory analysis and 3APA3A did some more extensive followup that suggests there is a real issue, but I'll wait to post details until we hear back from the developer. - Steve