The tool is very useful, but extremely dangerous! Even when disabled in /wp-admin/plugins.php, the PHP files can still be accessed directly. They require no authentication whatsoever but offer full access to the database.
The only limit i found, is that you have to guess the database name and prefix, which is not so hard in most cases.
I've disclosed all details to the author, but got no reply at all.
@Author: please fix this