I'm still not clear on whether or not the plugin has a security vulnerability, but anyway - perhaps there is a way to disable the plugin if it's active, so if people upgrade, it would be disabled? Or is it still a problem just to have it in your plugins directory?