Possible security hole in directory / listings plugin

Hi there,

I just had a really weird problem with my multisite network and I fear that the Directory plugin is to blame.

I logged in as the network admin and found that for some of the sites (not all), when I went to the Dashboard, instead of going to the dashboard of the site I wanted, I was instead taken to a page which had a bunch of spammy parked ads on it. I double-checked that the sites weren’t parked with ads (they are subdomains anyway so unlikely) but they’re not.

I’d found that having Directory network activated caused some weirdness, such as being visible on all sites even if they hadn’t activated it, so I was disabling it anyway. Once it was disabled, when I went to the same subdomain (main domain is loading fine, and the subdomain hasn’t been mapped to the site’s future domain yet) I got a 504 gateway timeout. I did an nslookup on the subdomain and it was pointing to Rackspace (who is not my provider) so I’m going to go ahead and report abuse to them as well as refresh my DNS on the server end but any insight as to why this may have occurred would be appreciated.

Thanks,

Ingrid