getfile.php is accessible to everyone.
is_admin() function is used to check priveleges but because this code is run in context of wp-admin/admin-ajax.php this function always evalute to true.
So we can download any file.
Proof of Concept:
- 14-10-2014: Discovered
- 06-11-2014: Vendor notified
- 14-11-2014: Version 1.7.15 released, issue resolved