Previously it was possible for one authorized user to impersonate another by forging their WordPress login cookie. A malicious user would need to be authorized via your external authentication mechanism first. Thanks to Mark Quinn for reporting this.
I apologize for the inconvenience. If you have any questions, post them here or, if they are security sensitive, email me.
Update: When you upgrade, please edit each user’s profile in WordPress to scramble his or her password in the database.