Check out the contents of wp-userlogin.php, it does not check the current user's credentials anywhere. I mean it should include in the beginning something like:
if (!current_user_can("administrator")) return;
I haven't used the plugin yet, but attacker could simply POST user_name to wp-userlogin.php and login as anyone whom the like?
To fix it see this: http://codex.wordpress.org/Function_Reference/current_user_can