Sorry for delay in responding - it's that time of year.
I think the "exploit" is theoretical only - that is, I don't think anyone could demonstrate an actual case where someone's security is actually harmed.
I believe the problem is related to the fact that FormMail will process forms using the GET method (the POST method is more usual).
We only support the GET method for the handful of broken servers that don't allow their webmasters to use the POST method.
So, the solution to this is to disable the GET method and only enable it under a configuration setting.
We'll implement this shortly, so keep an eye out for updates.