Hi, I previously posted a question on this forum 4 months ago about this issue, but had no reply (see: http://wordpress.org/support/topic/plugin-wordtube-possible-bug-or-security-issue-access-is-allowed-to-contributors) - I then (stupidly) forgot all about this issue until recently, when a Sucuri SiteCheck scan of our sites found Malware on 3 of the 4 or so sites which are using WordTube, and the security scan also specifically identified WordTube as being the malware/infected files (Note: one site was scanned repeatedly but each time it was found to be clean, which would seem to rule out the possibility of the other results being errors / false-positives...)
I have looked into it further and found that WordTube does indeed allow ANYONE who is a mere subscriber / member on your website to upload files to the server at will via the WordTube dashboard widget .... in addition, this function currently cannot be disabled - I disabled the dashboard widget whilst logged in as admin, but this only disabled it for my own account - upon logging in as a mere member/subscriber I found that the WordTube dashboard widget was still available to subscribers & everyone else etc.... So, I don't want to be alarmist or jump to conclusions, (and I really love this plugin, it's great and was perfect for our needs), but it would seem that some of our sites have been infected with malware and it would seem likely that the infection is due to this (severe & highly dangerous) hole in WordTube which allows any subscribers to upload files at will....
I'd like to hear from anyone else if they've had the same problem? - Also, anyone wanting to scan their websites in order to see if you have any malware can use the sucuri sitecheck scanner - http://sucuri.net/
Hope this helps