I suppose its not really "bug" unless you have to combat a TON of spam because of it, but let me explain.
I have used the shortcode [WPBUSDIRMANADDLISTING] to create a custom page for users to be able to add listings. The page I created is a protected page so only administrators and editors can access the page and submit listings.
I disabled the submit a listing button.
The problem is - anyone who knows http://www.mysite.com/?action=submitlisting can still access the page. Disabling the button does not stop users from still accessing and submitting listings. I testing this on a clean install also, and at best I can check "must be logged in" which stops a lot, but still anyone who can create an account can then access the page with or without the link being displayed.
Is there a way to completely disable the ?action=submitlisting so that one MUST be on my custom page to submit the listing? Is there anyway to really disable the abilty to submit listings at all? It would seem to me no matter what one does with this plugin, anyone who knows the page and the action call can then submit.